Two situations, two playbooks
“Hacked” covers two very different situations, and the right first move depends on which one you are in:
- Path A — you can still log in. You noticed strange activity, but your password still works. This is the better case: you hold the controls, and a few minutes of fast work locks the intruder out.
- Path B — you are locked out.The password no longer works, or the account is asking for a code that goes to a number you do not recognize. You will need the provider's recovery flow to prove who you are.
Not sure it was really a break-in? Is your email hacked? 10 signs and how to verify walks the diagnosis. This guide assumes you are past that — something is wrong and you want it fixed.
Path A — you still have access (move fast)
While you can still log in, you can shut the attacker out without waiting on anyone. Do these in order:
- Change the password to something long and unique you have never used anywhere else.
- Sign out all other sessions and devices.Most accounts have a “security” or “your devices” page with a one-click “sign out everywhere.” This kills the attacker's live session — a password change alone does not always do that.
- Check what they left behind. Look at recovery email, recovery phone, two-factor methods, and mail forwarding rules. Attackers add their own so they can get back in. Removing a rogue forwarding rule is its own step — see is a hacker still reading your email after a password change?
- Turn on stronger two-factor if you have not already — an authenticator app or a passkey, not just a text message.
Path B — you are locked out
If the password no longer works, do not keep guessing — go straight to the provider's account-recovery flow. Every major platform has one that verifies your identity through other signals (a device you used before, an old password, billing details) when you no longer hold the password or second factor. The FTC's recovery guide lists the official recovery links for the major email and social platforms.
If the attacker changed your recovery email and phone, the recovery flow still has a path — it simply takes longer and leans harder on history only you would know. Be patient and thorough, and do not pay any “recovery service” that promises to speed it up.
After you are back in
Regaining access is not the finish line. Whichever path you took, lock the account down so it does not happen again — unique password, sign out unknown sessions, fix recovery info, upgrade two-factor, and review connected apps. The full checklist is in how to secure any account after it has been hacked.
If money moved, your identity was used, or the same attacker keeps getting back in, account compromise recovery is the SleuthX service that investigates what was accessed and helps shut it down for good.
Sources
- Federal Trade Commission, How To Recover Your Hacked Email or Social Media Account. https://consumer.ftc.gov/articles/how-recover-your-hacked-email-or-social-media-account
- Federal Trade Commission, Email or social media hacked? Here's what to do, 2024. https://consumer.ftc.gov/consumer-alerts/2024/10/email-or-social-media-hacked-heres-what-do
- Cybersecurity & Infrastructure Security Agency (CISA), More than a Password. https://www.cisa.gov/MFA
- Google Account Help, Secure a hacked or compromised Google Account. https://support.google.com/accounts/answer/6294825
