Hacked.com icon

hacked.com

How To Recover a Hacked Google Account

Updated February 26, 2026By William Worrall
man looking at google on a computer with sunglasses

A compromised Google account can cascade into broader identity loss because it controls many reset and communication paths.

Structured recovery, secure environment, official account recovery, and persistence cleanup, prevents repeat lockout.

Account recovery sequence

  • Secure your device and browser (update OS, remove suspicious extensions, run a malware scan).
  • Start Google Account recovery if you cannot sign in, using the strongest channel you still control.
  • Change your Google password to a unique password once you regain access.
  • Sign out of other sessions and remove unknown devices.
  • Revoke third-party access for unfamiliar apps and services connected to your account.
  • Check Gmail for persistence (forwarding, filters, recovery email/phone changes).
  • Enable strong 2FA and rebuild recovery options you actually control.

If you are doing this under stress, keep a simple log of what you changed and when. It helps you avoid circular steps and it helps if you later need to explain the timeline to support or a bank.

Key idea: most repeat compromises happen because the attacker still controls a recovery path (email, phone) or still has a session/token on a device. Recovery is not finished until you remove both.

What you’re seeing Likely cause Best first move
Can’t sign in, password changed Account takeover or recovery details changed Use account recovery, then secure devices and recovery options
Unfamiliar sign-ins or devices Stolen password or stolen session Sign out, remove devices, revoke third-party access
Gmail sending spam / strange rules Inbox persistence (filters/forwarding) Remove rules and check account security
Phone recovery isn’t working SIM swap or wrong number Secure the phone number with the carrier, then rebuild recovery
Drive files shared or deleted Account access abuse Contain first, then audit sharing and activity

Step 1: Treat your device as part of the incident

If your device or browser is compromised, you can change passwords all day and still lose the account again. Before or alongside account recovery:

  • Update your operating system and browser.
  • Remove unknown browser extensions and suspicious apps.
  • Run a reputable malware scan.
  • Avoid signing in from shared or public computers.

If you regain access and then immediately see new sign-ins, treat that as a strong signal that a device, browser, or recovery path is still compromised.

Step 2: Regain access using Google’s recovery flow

If you cannot sign in, use Google’s account recovery process (search for “Google Account recovery” or use the recovery link on the sign-in page). Use the strongest channel you still control.

  • Email recovery is often strongest, if the inbox is still secure.
  • Phone recovery can be weaker if you suspect SIM swapping.
  • Prior trusted devices can help because Google sometimes uses device history for verification.

Slow down after failed attempts. Repeated failures can trigger more friction and delay. Keep your story consistent and do not guess at old passwords or details if you are unsure.

Verification habit: recovery periods attract phishing. Use how to identify scam emails and avoid “support” messages that push you to external links or fees.

Step 3: Contain the attacker once you regain access

Containment is what stops the attacker from coming back. Do it before you start cleaning up mail and files.

Change your password to a unique password

Do not reuse a password from another account. If password choice is part of your history, read common password mistakes.

Sign out and remove unknown devices

Review signed-in devices and sessions and remove anything you do not recognize. The goal is to invalidate sessions that persist after a password change.

Revoke third-party access

Attackers often connect apps to maintain access through OAuth tokens. Remove anything you do not recognize. If you rely on an integration, you can re-add it later.

Check recovery email and phone number

Confirm the recovery email and recovery phone are correct and under your control. If you suspect a carrier compromise, read SIM swapping and contact your carrier to secure the line.

Decision framing: do not start with “inbox cleanup”. Start with removing access. Cleanup only matters if the attacker can’t come back five minutes later.

Step 4: Remove Gmail persistence

Once access is contained, check Gmail settings and activity for persistence mechanisms:

  • Forwarding addresses you did not add
  • Filters and rules that auto-archive security emails or forward them
  • Delegated access or mailbox sharing you do not recognize

If your incident is primarily Gmail-related, use hacked Gmail accounts for a deeper Gmail-specific checklist.

Step 5: Audit high-impact Google surfaces

Attackers often look for value beyond email. After containment, review:

  • Drive: unusual sharing, newly created files, or deleted files you did not delete.
  • Photos: shared links or albums that expose private images.
  • Payments: any unexpected purchases or billing changes.

If you find evidence of financial abuse, document it and follow your bank or card issuer’s fraud process immediately.

Step 6: Harden the account for the next year, not the next day

Hardening is what prevents the next compromise. Focus on the recovery paths and authentication methods that attackers exploit.

  • Enable 2FA and choose a method you can keep long-term. See two-factor authentication (2FA).
  • Rebuild recovery options so you are not relying on an old phone number or an inbox you rarely check.
  • Use a password manager and stop password reuse across services.
  • Review connected apps periodically and remove unused access.

If you suspect this Google compromise is part of a broader incident, start from been hacked and work outward across your most important accounts.

Fast path: if you are still signed in somewhere, use that foothold

If you are locked out on one device but still signed in on another (a phone, a tablet, a browser profile), treat that as your foothold. From a signed-in session you may be able to change the password, review security settings, and remove attacker access with less friction than the full recovery flow.

  • Secure the device first (updates, remove suspicious apps/extensions).
  • Change password from the trusted signed-in session if possible.
  • Remove unknown devices and revoke third-party access.
  • Fix recovery options (recovery email/phone) so the attacker cannot reset access back.

Do not delay this. If the attacker notices you are still signed in, they may try to force sign-outs by changing security settings again.

If you suspect the attacker changed recovery options

When attackers take a Google Account, a common move is to change recovery email, recovery phone, or add a second factor they control. Treat recovery options as part of the compromise surface:

  • Remove any recovery email you do not recognize.
  • Replace the recovery phone number if it is wrong or compromised.
  • Re-check 2FA methods and remove any device or prompt you do not control.

If you are not confident about phone security, secure the carrier first and treat the number as untrusted until confirmed. That is where SIM swapping turns “phone recovery” into attacker recovery.

Strategic synthesis: your goal is not only to sign in again. Your goal is to be the only person who can reset the account next week.

What a good support packet looks like

Sometimes recovery requires additional verification steps. Your best leverage is being organized and consistent. Keep a simple packet:

  • Your Google account identifier (email address) and the approximate date you lost access
  • Any security alert emails and timestamps
  • Known devices you used previously (for your own reference)
  • Evidence of account changes (forwarding rules, recovery option changes, suspicious sign-ins)

Do not overshare sensitive information in random channels. Use official flows and keep your documentation for your own tracking.

After recovery: monitor for 7 days

Repeat compromise usually happens quickly because something was left behind. For the next week, watch for:

  • New devices appearing in your signed-in devices list
  • New third-party access you did not authorize
  • Unexpected password reset emails
  • Gmail rules reappearing (forwarding/filters)

If any of these recur, go back to containment. It is almost always persistence, not a new “hack”.

If you are blocked by 2FA

Many “hacked account” cases are actually recovery failures: you can’t complete 2FA because your phone number changed, your device was lost, or you no longer have access to the authenticator method you set up years ago.

  • Do not guess. Work through recovery using the methods you can still prove.
  • Rebuild your recovery posture after access returns. The long-term fix is having at least two recovery methods you actually control.
  • Treat phone numbers as fragile. Carrier compromise and number changes are common. Secure the number and consider stronger methods where possible.

The goal is not maximum security in theory. It is a recovery posture you can survive in real life when devices break.

If your Google Account is used for work or shared systems

If you use Google for work, a compromise can affect shared documents, calendars, and contacts. Containment still comes first, but you should also inform the right internal person quickly (IT, security, admin). Keep the message factual: what happened, when you noticed it, and what you are doing to contain it.

If you have admin-managed accounts (a workplace domain), your organization may have additional recovery controls. Use them. A personal-account recovery approach is not always sufficient for managed environments.

If you keep getting “security alert” emails

Security alerts can be real or they can be phishing. Use how to identify scam emails and avoid clicking from an unexpected message. A safer habit is opening your browser, navigating to your Google account security settings directly, and checking the same information there.

If alerts keep arriving after you think you recovered, treat it as persistence. Re-check devices, third-party access, and Gmail forwarding and filters.

Common questions

Why would someone hack my Google Account?

Because it is a reset key. If an attacker controls your Google Account, they can often reset other services and gain access to files, photos, and identity signals that help with scams.

How long does recovery take?

If you still control recovery channels, it can be fast. If recovery details were changed and you need verification steps, it can take longer. Your leverage is consistency and documentation, not volume.

What is the most common reason people get hacked again?

They regain access but do not remove persistence: unknown devices, third-party access, or inbox forwarding rules. The attacker comes back through the same door.

Should I create a new Google Account instead?

Sometimes people want to abandon the compromised account and start over. That can backfire if the old account is still the reset key for banks, social profiles, or device sign-ins. Recovering and securing the original account is usually the safer first move, even if you later migrate to a new account.

If you do migrate, do it deliberately: update recovery emails on your most important services, move critical data, and keep the old account secured until you are sure it no longer controls anything valuable.

Do I need to change passwords on other accounts too?

Often yes. If the attacker had access to your Gmail, they may have seen password reset links for other services. Prioritize the accounts that matter most: banking, Apple/Microsoft accounts, social accounts, and any work accounts. Use unique passwords and enable 2FA where available.

A Google recovery is a chain-management problem. Secure the device, regain access, remove persistence, then harden recovery options so the attacker cannot simply reset their way back in.

If you do it in this order, you avoid the most common loop: change the password, clean the inbox, then lose the account again because a device session or recovery email was still compromised.

Once you have a stable workflow, you can apply it across other accounts without improvising under stress. That is what makes recovery repeatable.

The real question is not whether you can sign in today. It is whether you are changing the underlying conditions that made the compromise easy in the first place.