Skip to content
Email Tools

guide · Gmail Security & 2FA

Gmail account compromised: 10 steps to secure it fast

Gmail account compromised? Act in the first 30 minutes: recover access, change your password, enable 2FA, audit filters and third-party apps — complete step-by-step guide.

Alexis Dollé By Alexis Dollé · ·
Gmail account compromised: 10 steps to secure it fast

Google reported in 2024 that passkeys have been used to authenticate users more than a billion times across over 400 million accounts — a rollout driven in part by the relentless volume of account takeovers that traditional passwords can’t stop. If your Gmail shows signs of compromise right now — emails sent from your account that you didn’t write, a password change you didn’t make, a login alert from a city you’ve never visited — the next 30 minutes are the most important window you have. Act fast and you can lock the attacker out before they plant persistence that survives a password reset. This guide covers every step: the first 30 minutes, the next 24 hours, and the hardened posture you set up so it never happens again.

How to tell if your Gmail is actually compromised

A compromised Gmail account shows at least one of these signals: emails in your Sent folder you didn’t write, unfamiliar devices in your security dashboard, a changed password or recovery contact, contacts reporting spam from your address, unexpected Google Pay or Play charges, or Gmail filters and forwarding rules you didn’t create. A single anomaly warrants investigation; two or more is a confirmed breach.

Not every alarm is a real compromise. A login alert from an unfamiliar city might be your VPN exit node; a “suspicious sign-in blocked” notification means Google caught it before the attacker got in. The distinction matters because the response differs.

Definitive signs you’ve been compromised:

  • Emails appear in your Sent folder that you didn’t compose or send
  • Your Google Account password, recovery phone, or recovery email was changed without your action — Google sends automated alerts to your recovery contact when this happens
  • Google’s security alert landed in your inbox stating “New sign-in on [device] in [location]” and you don’t recognize it, AND the sign-in was not blocked
  • Gmail filters appear that you didn’t create — especially ones that mark security emails as read, archive them, or forward them to an unknown address
  • Contacts are receiving spam, phishing links, or requests for money that appear to come from your Gmail address
  • Your Google Pay account shows transactions you didn’t authorize
  • Your Gmail delegates list includes an email address you don’t recognize

Signs that look alarming but may not be a breach:

  • “Suspicious sign-in blocked” or “We prevented a sign-in to your Google Account” — Google stopped it; still investigate but don’t panic
  • A login from an unfamiliar city that corresponds to a VPN or travel
  • A “less secure app access” warning — this is a configuration issue, not necessarily an active attacker

If you see any definitive sign, treat it as confirmed and proceed immediately to the next section. Speed matters more than certainty.

The first 30 minutes: regain control

The priority in the first 30 minutes is to sign in at accounts.google.com, review the Security activity panel, sign out all other sessions, and then change your password. Do those four things before anything else — in that order. Every other step that follows assumes you have regained sole control of the session.

Step 1: Sign in at accounts.google.com

Open a browser you trust on a device you trust (not a shared or public computer). Go directly to accounts.google.com — do not click a link in any email, because a phishing email may have delivered a fake login page designed to look identical to Google’s. Type the URL.

If you can log in: move immediately to Step 2.

If you cannot log in (password rejected or recovery info changed): skip to the locked-out section.

Step 2: Review Security activity

Once signed in, go to myaccount.google.com/security. Look at:

  • Recent security events — any password changes, recovery info changes, or new app authorizations you don’t recognize
  • Your devices — every device currently signed into your account is listed here. Identify any you don’t own or recognize.

Click each unfamiliar entry. If you see a device you don’t own: click “Sign out” on that specific device, or use “Sign out of all other sessions” (described in Step 3).

Step 3: Sign out all other sessions

In Gmail, click the gear icon > See all settings > Scroll to the bottom of the General tab > Click “Sign out of all other Gmail web sessions.” This terminates every active Gmail session except the one you’re using right now.

For full account-wide sign-out: in myaccount.google.com/security > Your devices > click each device > Sign out.

Step 4: Don’t touch anything else yet

Resist the urge to change your password, enable 2FA, or delete suspicious emails before you’ve signed out all other sessions. If you change the password while the attacker has an active session, some token-based access may persist. Sign out first, then change.

If you’re locked out entirely: account recovery

If an attacker changed your password before you could act, go to g.co/recover. Google’s account recovery flow verifies your identity through previous passwords you remember, a recovery phone number (if the SIM is still yours), a backup email, or a trusted device that’s still signed in. Start the recovery attempt as soon as you notice the lockout — Google’s recovery confidence drops the longer the attacker controls the account.

The recovery flow is designed to work even when a sophisticated attacker has changed your recovery email and phone. Google uses several signals:

  • A recovery phone number you added before the attack — if you still have that SIM, Google sends a code to it. This works even if the attacker changed the recovery phone, as long as they haven’t yet ported your number.
  • A previously trusted device — if you have a phone or tablet that was signed into this Google account before the compromise and hasn’t been signed out yet, Google can use it to verify you.
  • Previous passwords you remember — Google asks for passwords you used on the account in the past. Try any password you used in the last year, even if not the most recent one.
  • Your account creation date and recent Gmail usage patterns — Google asks questions about your account history to verify you’re the original owner.

If the recovery succeeds: you’ll be prompted to set a new password immediately. Do so, then return to this guide at the filters section — you still need to audit for attacker-installed persistence.

If the recovery fails on first attempt: try again from a different device (a phone that was previously signed in, or a second computer). The recovery flow generates higher confidence when the request comes from a device Google has seen before.

If you cannot recover the account at all and it contains business-critical data, file a support request through the Google Workspace support portal (if on a paid plan) or through Google’s account recovery form for personal accounts.

Change your password — the right way

After signing out all sessions, change your Gmail password at myaccount.google.com/security. Use a password that is at least 16 characters, unique to this account, and not based on any personal information. A password manager is the only practical way to maintain a strong, unique password per account — without one, most people reuse passwords, which is the root cause of most account takeovers.

Go to myaccount.google.com/security > Password > enter your new password.

What makes a strong password at this moment:

  • At least 16 characters — length beats complexity
  • No words from your life: no name, no pet, no birthday, no city, no employer
  • Never reused on any other site — the attacker who compromised your Gmail will immediately try that password on your bank, Amazon, PayPal, and social accounts
  • Generated by a password manager (Bitwarden, 1Password, Dashlane) rather than invented by you

What to do immediately after changing:

  • Update the saved password in your password manager
  • Sign back into Gmail on each of your trusted devices — you’ll be prompted automatically
  • Do not share the new password with anyone, including anyone claiming to be Google Support

For more detail on the password change process itself, see our full walkthrough: how to change your Gmail password securely.

Try Mailbird free

Enable 2-Step Verification and add a passkey

2-Step Verification (2SV) is the single most effective change you can make to prevent a repeat compromise. Even if an attacker gets your password again, they cannot sign in without the second factor. Google’s strongest options are passkeys (phishing-resistant, tied to your device biometrics) and hardware security keys. SMS codes are the weakest form of 2SV and can be intercepted via SIM-swap attacks — use them only as a last resort fallback.

Go to myaccount.google.com/signinoptions/two-step-verification to set this up.

Tier 1 — Passkeys (recommended): Google has supported passkeys since 2023, and as of 2024 has processed over one billion passkey authentications. A passkey is a cryptographic credential stored on your device (phone, laptop, YubiKey). It is tied to your biometrics (Face ID, fingerprint, Windows Hello) and never transmitted to any server — meaning it cannot be phished, cannot be intercepted, and cannot be leaked in a database breach. Add a passkey for your primary device first, then a second device or hardware key as backup.

Tier 2 — Hardware security key (YubiKey, Google Titan): A physical USB or NFC key that you plug in or tap to confirm sign-in. Requires the attacker to have both your password and the physical key in hand. The strongest option if passkeys are not available on a given device.

Tier 3 — Google Authenticator or a TOTP app (Authy, 1Password TOTP): A 6-digit code that changes every 30 seconds. Phishable in real time by a skilled attacker (they capture the code mid-session), but vastly better than SMS. If using this method, store the backup codes in your password manager, not in Gmail itself.

Tier 4 — SMS codes: Vulnerable to SIM-swap attacks, where an attacker calls your carrier, impersonates you, and transfers your phone number to a new SIM. Use SMS only if no other tier is available, and migrate away from it as soon as possible.

For a full setup walkthrough, read our dedicated guide: Gmail two-factor authentication setup.

Remove suspicious third-party app access

Third-party apps authorized to access your Google account retain that access even after a password change — an OAuth token, once granted, does not expire when you change your password. This is one of the primary persistence mechanisms attackers use. After a compromise, audit every authorized app and revoke anything you don’t recognize or no longer use.

Go to myaccount.google.com/connections to see every app and service with access to your Google account.

For each entry, ask:

  1. Do I recognize this app or service? If not, revoke immediately.
  2. When did I authorize this? An authorization timestamp from a date when you weren’t actively using the account is a red flag.
  3. What permissions did I grant? Look for apps with “Read and manage your mail” or “Send email on your behalf” — those have full inbox access. Revoke any you didn’t explicitly authorize.

As Google’s own guidance notes: “If you share your Google Account password with a third-party app or service, they’ll have full access to your account and this can compromise your account security.” Legitimate services never ask for your Gmail password directly — they use OAuth. Any app that asked for your password rather than Google’s consent screen was harvesting credentials.

Common attacker-installed apps to look for:

  • Generic names like “Mail Sync,” “Calendar Backup,” or “Account Manager” that you don’t remember installing
  • Any app from a developer you don’t recognize with “manage mail” or “read Gmail” permissions
  • Apps from countries or organizations you have no relationship with

After revoking: the app cannot access your account going forward. Data it already downloaded is not deleted — for sensitive historical data you shared with a rogue app, you would need to contact the developer directly, or, in the EU, file a GDPR deletion request.

Audit filters, forwarding, delegation, and auto-reply

Attackers routinely install Gmail filters and forwarding rules as their first act after gaining access — this persistence survives a password change and lets them continue reading your inbox silently for months. Check these four settings in Gmail before considering the account clean: filters, forwarding addresses, delegated accounts, and vacation auto-reply text.

These settings are in Gmail > gear icon > See all settings.

Filters tab: Look for any filter you didn’t create. Common attacker patterns:

  • A filter matching from:(google.com OR accounts.google.com) with action “Delete it” or “Skip Inbox” — this hides Google’s own security alerts from you
  • A filter that forwards all mail to an external address
  • A filter that marks all incoming mail as read so you can’t see the red dot

Delete every filter you don’t recognize.

Forwarding and POP/IMAP tab: Look at the “Forwarding” section. Any external email address listed here means every email you receive is being copied to that address in real time. Remove any forwarding address you didn’t add.

Also check POP Download and IMAP Access settings if you use a desktop email client — though these are less commonly exploited, an attacker can configure IMAP access to pull your entire mailbox.

Accounts and Import tab — “Grant access to your account”: This is Gmail delegation. Any email address listed here can read, send, and delete email as if they were you. It is the most dangerous persistence mechanism because delegated access does not require your password and is invisible in most email clients. Remove every delegated address you didn’t explicitly add yourself.

General tab — Vacation responder: An attacker may install a vacation auto-reply that tells everyone who emails you where you are, or that harvests reply confirmations to validate your address as live. Check and disable if active.

Check your recovery email and phone

Recovery information — a backup email address and a recovery phone number — is the key to account recovery if you’re locked out again. After a compromise, verify that both point to addresses and numbers you actually control. An attacker who added their own recovery phone effectively has a permanent backdoor even after you’ve changed your password.

Go to myaccount.google.com/security and scroll to the “How you sign in to Google” section, then “Ways we can verify it’s you.”

Check:

  • Recovery email: Does it show an address you own and actively check? If an unfamiliar address appears, remove it immediately and add your own.
  • Recovery phone: Is the number listed your current active SIM? If an unknown number appears, remove it.
  • Trusted devices: Are all listed devices ones you own and trust?

After confirming these are correct: add a second recovery email if you don’t already have one. The more recovery paths you have, the less leverage an attacker has.

Assess the damage: Sent, Spam, and connected services

Once you’ve secured the account itself, audit the blast radius. Check Sent for any emails the attacker sent from your address, check Spam for any suspicious emails the attacker received and deleted, review Google Activity for any searches or actions taken while they had access, and most critically — identify every service where Gmail is your password-reset address, because every one of those accounts is now at risk.

Gmail Sent folder: Sort by date and look at the period of the suspected compromise. Did the attacker send emails pretending to be you — asking contacts for money, gift cards, or passwords? Did they send phishing links? Did they send test emails to verify the account worked?

Gmail Spam and Trash: Attackers sometimes send themselves password-reset emails for other services, then delete them. Sort Spam and Trash by date and look for password-reset confirmation emails from banks, PayPal, Amazon, social networks, or any service you use.

Google Activity: Go to myactivity.google.com and review searches, YouTube views, Maps searches, and Google Shopping activity during the compromise window. This tells you what the attacker looked up.

Connected services — the most important step: Make a list (mental or written) of every service where you’ve ever:

  • Used “Sign in with Google”
  • Set your Gmail address as the login email
  • Set your Gmail address as the password-reset address

For every such service, an attacker with access to your Gmail could have requested a password reset, intercepted the email, and changed that account’s password before you noticed. Start with the highest-risk accounts: banking, investment, PayPal and payment services, Apple ID, work SSO, domain registrars. Change passwords on those accounts now, before the attacker attempts them.

For a broader look at managing multiple accounts securely, see how to check all email accounts in one place.

Notify your contacts

If the attacker sent emails from your account — to your contacts, your colleagues, your family — those people may have clicked malicious links, replied with sensitive information, or sent money. A brief, honest notification is the right thing to do, and it protects the people who trust you.

What to tell them:

  • Your Gmail account was compromised between [date] and [date]
  • Any email from your address during that period asking for money, gift cards, passwords, or asking them to click a link should be treated as fraudulent
  • They should not click any link in those emails and should change their own password if they entered any credentials
  • If they sent money or gift cards, they should contact their bank or the gift card issuer immediately

You don’t need to over-explain or apologize excessively. A short, factual note sent from your newly secured account is sufficient. If this happened in a work context, notify your IT or security team — they need to know so they can check whether the attacker pivoted to internal systems.

Ongoing security: what to do in the next 30 days

Securing the account in the first 30 minutes stops the immediate bleeding. The next 30 days are about removing every path back in and building the habits that prevent a repeat. The three highest-leverage actions are: using a password manager for every account, keeping passkeys or a hardware security key as your 2FA method, and running a Google Security Checkup monthly.

Week 1:

  • Complete the Google Security Checkup — Google’s guided checklist that reviews devices, connected apps, and recovery info in one pass
  • Change passwords on every service where Gmail was the password-reset address, starting with financial accounts
  • Set up a password manager if you don’t have one — Bitwarden (free, open-source) is a strong starting point
  • Enable 2FA on every service that supports it, starting with your bank, then social accounts, then everything else

Week 2–4:

  • Run a Google Security Checkup again to confirm nothing was re-compromised
  • Audit any email you received during the compromise window to see if the attacker triggered other account actions you missed on the first review
  • Consider a desktop email client that authenticates via modern OAuth (not a stored password) — this way, even if a third-party app is compromised, it doesn’t expose your Google password directly. Mailbird on Windows handles Gmail via OAuth natively.
Try Mailbird free

Ongoing (monthly):

  • Run Google Security Checkup the first Monday of each month — it takes two minutes
  • Review connected apps every 90 days and prune anything you’ve stopped using
  • Check haveibeenpwned.com for new breaches involving your email address

What this guide doesn’t cover

This guide covers individual Gmail accounts — personal and Google Workspace. It does not cover:

  • Google Workspace admin-level compromise (an admin account breach requires contacting Google Workspace support and a full tenant audit beyond the scope of this guide)
  • SIM-swap recovery (if the attacker ported your phone number, the carrier fraud resolution process is separate from Google account recovery)
  • Legal action or law enforcement reporting (if you’ve suffered financial loss, contact your local cybercrime unit — in the US, the FBI’s Internet Crime Complaint Center at ic3.gov)
  • Gmail data recovery (if the attacker deleted emails, deleted items are recoverable for 30 days from Trash; Workspace admins have access to Vault for longer retention)
  • Phishing simulation vs. real compromise (some corporate security teams send test phishing emails; if you clicked something suspicious on a work device, check with IT before assuming your personal Gmail is involved)
Alexis Dollé, founder of Email Tools
Alexis Dollé
Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and security workflow myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

LinkedIn

Frequently asked questions

How do I know if my Gmail account has been compromised?

Key signs include: emails in Sent you didn’t write, unfamiliar login devices in myaccount.google.com/security, password or recovery email/phone changed without your action, contacts reporting spam from your address, unexpected Google Pay or Play charges, and Gmail filters or forwarding rules you didn’t create. Google also sends automated alerts to your recovery address when a new device signs in — check your recovery inbox first.

What is the first thing I should do if my Gmail is hacked?

If you can still log in, go immediately to myaccount.google.com/security and click “Review security activity.” Sign out of all other sessions via Gmail Settings > General > scroll to bottom > “Sign out of all other Gmail web sessions.” Then change your password to something strong and unique. If you’re locked out, go to g.co/recover.

Can I recover my Gmail account if the hacker changed my password and recovery info?

Yes. Go to g.co/recover and follow Google’s account recovery flow. Google will verify your identity using prior passwords you remember, your recovery phone (if the SIM is still yours), confirmation codes sent to a backup device, or security questions. The process works best the sooner you attempt it — the longer you wait, the more recovery options may have been changed.

How do attackers maintain access to Gmail even after I change my password?

Attackers plant persistence mechanisms: forwarding rules that copy every incoming email to an external address, mail delegation that lets them read and send as you, Gmail filters that auto-forward or auto-delete security alerts, and OAuth tokens from third-party apps that retain access even after a password change. All four must be checked and removed, not just the password.

Should I enable passkeys instead of SMS-based 2-Step Verification?

Yes. Passkeys — supported by Google since 2023 and now the recommended 2FA method — are phishing-resistant because they never leave your device. SMS codes can be intercepted via SIM-swap attacks; authenticator-app TOTP codes can be phished in real time by a sophisticated attacker. A hardware security key (YubiKey) or a device passkey is the strongest option. SMS is better than nothing, but it is the weakest 2FA tier.

Which other accounts are at risk once my Gmail is compromised?

Every service where you use “Sign in with Google” or where Gmail is the password-reset address — your bank, PayPal, Amazon, Apple ID, social networks, work SaaS tools. The attacker intercepts password-reset emails before you see them. Run a mental or written audit of every account you’ve ever logged into using that Gmail address and change those passwords immediately, starting with financial and identity-critical services.

Sources & references
  1. Google Support — Secure a hacked or compromised Google Account. Accessed 2026-05-18.
  2. Google Support — Manage third-party app access to your Google Account. Accessed 2026-05-18.
  3. Google — Account recovery: g.co/recover.
  4. Google — passkey announcement: over 1 billion passkey authentications across 400 million+ accounts (Google I/O 2024). blog.google.
  5. Email Tools — Gmail two-factor authentication setup.
  6. Email Tools — How to change your Gmail password securely.