Wondering whether your email account has been hacked is unsettling — and unfortunately, it’s a question more people need to ask. Billions of email credentials are bought and sold on criminal marketplaces every year, often without the account owner having any idea. Here’s how to find out, and exactly what to do if the answer is yes.

How Email Accounts Get Hacked

Most email hacks don’t happen because someone guessed your password. They happen because your credentials were stolen in a data breach at another site — a retailer, a forum, a streaming service — where you used the same email and password combination. Attackers buy these credential lists in bulk and run automated tools that try them against Gmail, Outlook, and Yahoo at scale. This is called credential stuffing, and it succeeds far more often than brute-force attacks.

Other common entry points include phishing emails that trick you into entering your password on a fake login page, and malware on your device that captures keystrokes. Less commonly, attackers exploit SIM-swapping to intercept SMS verification codes sent to your phone.

Signs Your Email Has Been Hacked

Sometimes the signs are obvious. Other times an attacker will operate quietly for weeks before you notice anything. Watch for:

• Password no longer works — The attacker changed it to lock you out.
• Recovery options were changed — Your backup email or phone number has been replaced.
• Sent folder contains emails you didn’t write — Your account is being used for spam or phishing campaigns.
• Friends report receiving strange messages from you — A classic sign your account is sending spam.
• Login alerts from unfamiliar locations — Most email providers send these automatically.
• Account activity shows logins from unknown devices or cities — Check your provider’s security or activity log.
• Missing emails — Hackers sometimes delete or filter incoming messages to hide account reset notifications from other services.

How to Check if Your Email Has Been in a Data Breach

Start with HaveIBeenPwned.com — it’s free and searches your address against hundreds of known breach databases. If your email appears, it will tell you which breach exposed it and what data types were included (passwords, phone numbers, physical addresses, etc.).

For a deeper picture of your email’s overall risk profile — including breach patterns, exposure types, and a prioritized action plan — the free Email Exposure Report analyzes your address across multiple risk dimensions and tells you exactly what to address first.

Also check your email provider’s own security dashboard. Gmail has “Manage your Google Account > Security > Your devices.” Outlook has “Security > Review recent activity.”

What to Do If Your Email Has Been Hacked

Act quickly and work through these steps in order:

1. Change your password immediately — Use a long, unique password (16+ characters) generated by a password manager. Don’t reuse anything.
2. Verify your recovery options — Make sure your backup email and phone number are yours, not the attacker’s.
3. Enable two-factor authentication (2FA) — Use an authenticator app (Google Authenticator, Authy) rather than SMS if possible.
4. Check connected apps and revoke unknown access — Go to your account’s security settings and remove any third-party apps you don’t recognize.
5. Scan your sent folder and alert your contacts — If spam was sent from your account, let people know so they don’t click any links they received from you.
6. Change passwords on any account that used the same credentials — Prioritize banking, work email, and account recovery addresses first.
7. Check your other accounts for unusual activity — If your email was the master key to your digital life, assume attackers tried to use it.

How to Prevent It from Happening Again

Password reuse is the root cause of most email hacks. A password manager like Bitwarden (free) or 1Password eliminates this risk by generating and storing a unique password for every site. Pair that with 2FA on your email account, and credential-stuffing attacks become essentially useless against you.

Also consider using a separate email address as an alias for newsletters, sign-ups, and forums — keeping your primary address out of low-security breach-prone databases.

According to the Have I Been Pwned database — the internet’s most trusted breach tracking service — billions of email accounts have been exposed in data breaches. Checking your own exposure takes seconds and costs nothing.

Frequently Asked Questions

How can I tell if my email has been hacked without checking a breach database?

Look for these red flags: emails you didn’t send appearing in your Sent folder, contacts receiving spam from your address, unexpected password-reset emails for accounts you didn’t request, or being locked out of your account entirely. Any one of these warrants an immediate password change and security review.

Can hackers access my email without ever changing my password?

Yes — this is called “silent access.” Attackers who obtain your credentials through a breach often read your emails, set up forwarding rules, or harvest sensitive information without touching your password, specifically to avoid triggering alerts. This is why checking breach databases and reviewing your account’s active sessions regularly matters.

What should I do in the first 10 minutes after discovering my email is hacked?

Act in this order: (1) Change your password immediately from a different device or network. (2) Enable two-factor authentication. (3) Check your account’s forwarding rules and delete any you didn’t create. (4) Review active sessions and sign out all unknown devices. (5) Check your recovery email and phone number haven’t been changed.

Does changing my password fix a hacked email account completely?

Not on its own. A password change removes the attacker’s current access, but you should also check for forwarding rules, OAuth app permissions, and any filters that might still be routing your emails elsewhere. Treat a password change as step one of a multi-step recovery, not a complete fix.

How long does it typically take for stolen email credentials to be used?

Research suggests that in high-profile breaches, stolen credentials are often tested within hours of a breach going live on underground markets. For older breaches, credentials may sit dormant for months or years before being used in credential-stuffing attacks. This is why enabling two-factor authentication is so valuable — it makes stolen passwords useless on their own.