How to Recover a Hacked Email Account — Step by Step
Email is the recovery address for nearly every other account you hold — banking, brokerage, cloud storage, even your other email. A compromise here is rarely contained to the inbox.
The moment to worry is not when you're locked out — it's the hours before, when someone already had access and you didn't know it. Recovery matters, but it is only step one; the real question is what that account was used to reach before you noticed.
First: confirm what actually happened
- You're locked out entirely. Password no longer works, recovery options changed. This is the loudest, most obvious compromise.
- You're still in, but something's wrong. Sent items you didn't write, contacts reporting spam "from you," or a login-alert email from a country you weren't in.
- Silent access. The most dangerous case: a forwarding rule quietly copies your mail to an external address while everything looks normal. Check your mail rules and filters right now — this is the step almost everyone skips.
Recovery, in order
- Use the provider's official account-recovery flow from a device and network you trust. Google, Microsoft and Apple all have dedicated compromised-account recovery paths — use those, not a generic "forgot password" reset, which an attacker may have already redirected.
- Once back in, check forwarding rules and filters first — before you even reset the password. Delete anything you didn't create.
- Revoke all active sessions and connected apps. Every major provider has an "sign out everywhere" or "connected apps" panel; use it.
- Set a new, unique password and enable two-factor authentication via an authenticator app rather than SMS, which is vulnerable to SIM-swap attacks.
- Check recovery contact details — phone number and secondary email — for anything an attacker may have added.
- Then, and only then, work outward: any account using this email for password resets is now a potential secondary target.
Why email compromise is worse than it looks
A primary email address is a master key. Whoever controls it can trigger password resets on banking, brokerage, cloud storage and even other email accounts — often without you receiving any notification, because the notification goes to the compromised inbox itself. For principals and family offices, this is precisely the pathway that turns a single phished login into wire fraud, which is why out-of-band verification — never authorizing a transfer from an email or message alone — is central to the protocol we detail in deepfake and impersonation protection for executives.
It's also worth checking whether the credential that got you here was already circulating before the breach happened. Stolen email-password pairs are traded and tested at scale long before an individual victim notices anything wrong — the exact market we track in dark web monitoring for UHNW families, which can surface a live credential before it's used rather than after.
Recovering the inbox is the easy part. Finding out what it was used to unlock is the part that matters.
The specific danger of a forwarding rule
Of everything covered here, the silent forwarding rule deserves the most emphasis, because it's the one people are least likely to check unprompted. Unlike a lockout or a suspicious sent message, a forwarding rule produces no visible symptom at all — your inbox looks completely normal while a copy of every message quietly lands in an attacker's mailbox, including password resets for other services, wire confirmations, and anything else that arrives by email. Rules can also be configured narrowly, forwarding only messages containing words like "invoice," "wire" or "password," making them even less likely to be noticed during a casual glance at settings. Checking this specific setting, even if nothing else seems wrong, is worth the ninety seconds it takes.
After recovery: the audit you shouldn't skip
Once the account is secure, review sent mail and trash for anything an attacker may have read or exfiltrated — wire instructions, passport scans, property details, family calendars. Assume anything visible in that inbox was seen. For a single personal account this is a manageable afternoon. For a principal whose email touches a family office, multiple properties and staff, it becomes a genuine incident-response exercise, which is exactly the standing function a fractional CISO for the family is retained to run.
Business email compromise: a different threat model
When the compromised inbox belongs to a principal, an assistant, or anyone at a family office, the risk profile changes substantially. Attackers who gain even brief access to a business or family-office email account often don't act immediately — they read silently for days or weeks, studying tone, timing and vendor relationships, then insert themselves into an active conversation about a real transfer, invoice or wire. The resulting message looks indistinguishable from a genuine one, because in every respect except authorship, it is.
The defence against this is procedural, not technical: no financial instruction is ever actioned on the basis of an email alone, regardless of how convincing, familiar or urgent it appears. A phone call to a known number, a pre-agreed verification phrase, or a callback protocol closes this gap entirely — the same principle that underlies the broader impersonation defence in deepfake protection for executives. Email recovery fixes the account. Only a verification protocol fixes the exposure that made the account worth compromising in the first place.
What to tell your team after a compromise
Once an account is secure, brief anyone who corresponds regularly with that address — family office staff, assistants, financial advisers — that a compromise occurred and that any recent instructions from that address bearing any irregularity should be independently confirmed. This single conversation closes a window that technical remediation alone leaves open.
Obsidian Helm handles this end to end — recovery, forensic review of what was exposed, and a hardened rebuild of every account that trusted the compromised inbox — under our Personal Cybersecurity practice, delivered remotely and under NDA.
Let a Named Contact Handle Recovery and the Cleanup After It
A $4,999 Private Strategy Session includes full incident triage — what was accessed, what needs rotating, and how it's prevented next time — credited toward membership.
Request Your InvitationFrequently asked
How do I recover a hacked Gmail, Outlook, or iCloud account?
Use the provider's dedicated compromised-account recovery flow rather than a standard password reset, from a device and network you trust. Once back in, check forwarding rules and connected apps before doing anything else — these are the most common ways attackers retain silent access.
How can I tell if my email was hacked without being locked out?
Look for forwarding rules or filters you didn't create, sent messages you don't recognise, login-alert emails from unfamiliar locations, or contacts reporting spam that appears to come from you. Silent forwarding rules are the most commonly missed sign.
Should I change all my other passwords after an email hack?
Prioritise any account that uses that email address for password resets — banking, brokerage, cloud storage — since those are the accounts a compromised inbox can be used to take over next. Work outward from the most sensitive accounts first.
Is SMS two-factor authentication safe enough for email?
It's better than nothing, but SMS codes can be intercepted through SIM-swap attacks. An authenticator app or a hardware security key provides materially stronger protection for an account as central as email.
Can a hacked email account lead to identity theft or fraud?
Yes — a compromised inbox is one of the most common paths to broader identity theft and financial fraud, since it can be used to intercept password resets, verification codes, and sensitive documents sent to that address over time.



