PanicStation.org
UK USA
us Technology & digital loss email password changed • email account hacked • locked out of email • someone changed my password • unauthorized password reset • email account takeover • account takeover email • suspicious sign in alert • can’t access inbox • recovery email changed • recovery phone changed • forwarding rule added • filters changed • strange emails sent • two factor changed • compromised email address • phished email login • credential stuffing • email security breach • hacked gmail

What to do if…
your email account password is changed and you did not do it

Short answer

Treat this as an account takeover: use your email provider’s official account-recovery process immediately, then sign out everywhere and secure 2-factor authentication before doing anything else.

Do not do these things

  • Don’t use password-reset links from messages you didn’t request (go directly to the provider’s site/app).
  • Don’t keep guessing passwords repeatedly (it can trigger longer lockouts).
  • Don’t reuse an old password or a “close enough” variation.
  • Don’t forget to check forwarding/rules/authorized apps — attackers often leave a backdoor there.
  • Don’t warn people using the compromised email account (the attacker may still be reading it).

What to do now

  1. Switch to a safer device if you suspect malware. If your computer/phone might be infected (unknown extensions/apps, strange behavior), use a different device to recover the account, and run updates and a reputable security scan on the original device before signing in again.
  2. Start provider recovery from the official site/app. Use the provider’s built-in “account recovery” flow and complete all verification steps. If your recovery email/phone was changed, keep going — many providers offer alternative verification paths.
  3. When you regain access, sign out everywhere and remove unknown access.
    • Sign out of all devices/sessions.
    • Remove unfamiliar “connected apps”, third-party mail clients, and devices.
  4. Set a new, unique password (then store it). Use a long, unique password you’ve never used elsewhere; a password manager is the safest way to create and keep it.
  5. Turn on 2-factor authentication (2FA) and secure recovery options.
    • Enable 2FA (authenticator app or security key if available).
    • Verify recovery phone and recovery email are yours.
    • Save backup codes somewhere safe you can reach if you get locked out again.
  6. Check your mailbox settings for attacker “persistence”. Remove anything you did not set:
    • forwarding addresses
    • rules/filters
    • delegated access / “mailbox sharing”
    • “send as” addresses
    • signatures/auto-replies that could spread scams
  7. Triage other accounts that rely on that email (start with the highest-risk).
    • Banking, credit cards, payment apps: change passwords (unique) and enable 2FA.
    • Mobile carrier account: sign in (or call support) and set/verify a port-out/transfer PIN (and remove unknown lines/devices). This helps reduce SIM-swap/number-porting risk.
    • Primary social accounts: change passwords (unique) and enable 2FA.
  8. Tell key people using a different channel. If your email is used for invoices, work approvals, or family finances, quickly alert those contacts by phone/text/another email: “Ignore unexpected requests from me until I confirm.”
  9. If you lost money or your account was used for fraud, report it carefully.
    • For identity theft recovery steps, use IdentityTheft.gov.
    • For cyber-enabled fraud/scams (including business email compromise), you can file a report with the FBI’s IC3 — but type ic3.gov directly in your browser (don’t rely on ads or lookalike links). Be wary of anyone claiming to be “IC3/FBI” who asks for a fee to “recover” your money.
  10. If this is a work or school account, escalate immediately. Contact IT/security right away — they may need to reset sessions, block forwarding, and protect other accounts tied to your identity.

What can wait

  • You don’t need to fully diagnose how it happened right now.
  • You don’t need to delete your entire email history or close the account immediately.
  • You don’t need to contact everyone — focus on anyone who might act on urgent requests (payments, password resets, “new bank details”, gift cards).
  • You don’t need to make a law-enforcement report unless there’s fraud, financial loss, or you’re advised to by the relevant agency.

Important reassurance

This happens to careful people, often through automated attacks or stolen credentials from unrelated breaches. The key is regaining control and removing the attacker’s access paths (sessions, recovery info, forwarding/rules).

Scope note

This is first-step guidance to stabilize the situation and prevent immediate harm. Longer-term cleanup (device hardening, breach monitoring, credit protections) can be done later if needed.

Important note

This guide is general information, not legal, financial, or IT professional advice. If you have active fraud, major financial exposure, or a workplace incident, follow your provider/bank/IT team instructions and get help promptly.

Additional Resources
Support us