How to Tell If Your Email Has Been Hacked

Email is the master key to your digital life — it is connected to your bank, social media, cloud storage, and more. If an attacker gains access, they can reset passwords, intercept sensitive messages, and impersonate you. Knowing the warning signs early can mean the difference between a close call and a full-blown identity crisis.

Warning Signs Your Email Has Been Hacked

Not every sign is obvious. Some are subtle and easy to miss. Here are the most common red flags, grouped by severity:

🔴 Critical — Act Immediately

• Your password no longer works and you did not change it
• You received a password reset confirmation you did not request
• Your recovery phone number or backup email has been changed
• Two-factor authentication has been disabled without your knowledge
• You have been locked out of your account entirely

🟠 Serious — Investigate Now

• Emails appear in your Sent folder that you did not write
• Contacts report receiving spam, phishing, or strange messages from you
• You see login alerts from unfamiliar locations, devices, or IP addresses
• New email forwarding rules or filters have been created without your knowledge
• Unfamiliar apps or services have been granted access to your account

🟡 Suspicious — Worth Checking

• You stop receiving emails you normally get (attacker may have set up filters to delete or redirect them)
• Read receipts show emails were opened before you saw them
• Your email signature, display name, or profile photo has changed
• You see unfamiliar calendar invites or contact additions
• Password reset emails from other services you did not request (attacker may be trying to pivot)

How to Check If You Have Been Compromised

1. Review Login Activity

Every major email provider keeps a log of recent sign-ins. Check for logins from devices, browsers, or locations you do not recognise. Look for activity at unusual hours.

• Gmail: myaccount.google.com/security → Recent security activity
• Outlook: account.microsoft.com → Security → Sign-in activity
• Yahoo: login.yahoo.com → Recent activity
• iCloud: appleid.apple.com → Devices
• Proton Mail: Settings → Security and privacy → Session management

2. Check Email Forwarding Rules

This is one of the most common persistence techniques. Attackers create a forwarding rule so they continue receiving copies of your emails even after you change your password. Check your email settings for any forwarding addresses or filters that redirect, auto-delete, or label messages you did not set up.

3. Audit Connected Apps and Devices

Review which third-party apps, services, and devices have access to your email account. Revoke access for anything you do not recognise. Attackers may install OAuth apps that retain access even after a password change.

4. Check haveibeenpwned.com

Visit haveibeenpwned.com and enter your email address. This free service checks whether your email or password appeared in known data breaches. If your credentials were exposed in a breach, attackers may have used them to access your email.

5. Check Recovery Settings

Verify that your recovery phone number, backup email address, and security questions have not been changed. Attackers often modify these to maintain access and block your recovery attempts.