PanicStation.org
UK USA
uk Technology & digital loss email password changed • email account hacked • locked out of email • someone changed my password • unexpected password reset • email takeover • account takeover email • unauthorized sign in email • can’t access inbox • recovery email changed • recovery phone changed • strange emails sent from me • new forwarding rule set • spam sent from my account • two step verification changed • suspicious login alert • compromised email address • phished email password • email security breach

What to do if…
your email account password is changed and you did not do it

Short answer

Treat this as an account takeover: start account recovery with your email provider immediately, and secure your recovery options (phone/email/2-step) before you do anything else.

Do not do these things

  • Don’t click “password reset” links in emails/texts you weren’t expecting (use the provider’s website/app directly).
  • Don’t keep trying random passwords over and over (it can lock you out longer).
  • Don’t use the same (or similar) password again “just to get back in”.
  • Don’t ignore “forwarding”, “filters”, or “rules” settings — attackers often leave these behind.
  • Don’t message contacts from the compromised account to “warn them” (the attacker may still be reading it).

What to do now

  1. Move to a safer device and connection. If you have any reason to suspect malware (odd pop-ups, unknown apps/extensions, recent “free” downloads), use a different device (or at least update your device and run a reputable security scan) before entering new passwords.
  2. Start the official recovery process (right now). Open your email provider’s official app or type their website address yourself and use their “account recovery” flow. Follow it through fully (including identity checks).
  3. As soon as you regain access, force a full sign-out. In your account security settings, sign out of all devices/sessions and revoke access for unfamiliar apps.
  4. Change the password again (even if you already did during recovery). Use a long, unique password you’ve never used anywhere else. If possible, generate it with a password manager.
  5. Lock down recovery options and 2-step verification.
    • Check the recovery email address and phone number are yours.
    • Turn on 2-step verification (2SV) and make sure the “backup” method is also controlled by you.
    • Save any backup codes in a safe place you can access if you’re locked out again.
  6. Hunt for “persistence” inside your mailbox. Check and remove anything you didn’t set:
    • forwarding addresses
    • mail rules/filters
    • auto-replies/signatures
    • “send mail as” / delegated access
    • newly created folders that hide copies of sent mail
  7. Assume other accounts are at risk and triage the most dangerous ones first. From a safe device, go to your bank, payments, and primary social accounts and:
    • change passwords (unique)
    • enable 2-step verification
    • review recent sign-ins/transactions
  8. Warn people safely (without using the compromised email). Use a different channel (text/phone/another email) to tell close contacts to ignore unexpected messages or payment requests “from you”.
  9. Report likely phishing that led to this (if you have any suspicious message). Forward suspicious emails to report@phishing.gov.uk (the UK suspicious email reporting service). If you’re unsure which message did it, it’s still fine to report anything that looks like a login alert, invoice, delivery message, or “security warning” you didn’t request.
  10. If money was lost, or you were “hacked because of a scam”, report it. In England, Wales or Northern Ireland you can report cyber crime/fraud via Report Fraud. If you live in Scotland, report via Police Scotland (101 for non-emergency).
  11. If your workplace or an organisation’s data might be involved, escalate appropriately. If this email is used for work, tell your IT/security team immediately. If (separately) you think an organisation exposed or mishandled your personal data, follow the ICO’s public guidance on what to do after a data breach.

What can wait

  • You do not need to figure out how it happened right now.
  • You do not need to delete your whole mailbox or close the account immediately.
  • You do not need to contact every single person you’ve ever emailed — focus on anyone who might receive urgent “pay me / gift cards / invoice change” messages.
  • You do not need to make police reports unless there’s fraud, clear financial loss, or you’re advised to by the relevant reporting service.

Important reassurance

It’s common to feel embarrassed or panicked — account takeovers are often automated and indiscriminate. Getting back control and cutting off access (sessions, recovery options, forwarding rules) is what stops the harm.

Scope note

This is first-step guidance to regain control and prevent immediate damage. Later steps (like device forensics, detailed breach tracing, or wider identity protection) may be useful, but they’re not required to stabilise the situation.

Important note

This guide provides general information, not legal, financial, or IT professional advice. If you’re dealing with active fraud, workplace systems, or significant personal risk, contact your bank/provider/IT team promptly and follow their official instructions.

Additional Resources
Support us