How did the hacker get into my email if I never shared my password?

Most often through a password reused on another site that was breached, or a phishing page that captured your login. A password manager (unique passwords everywhere) plus 2FA on email closes both doors.

Account Recovery

How do I recover a hacked email account?

By Bridget · Updated May 2026 · Reviewed by Locket Security Team

★

★ the short answer

Recover a hacked email account first, before anything else — it controls password resets for every other account. Use your provider's recovery page (Gmail, Outlook), reset the password, then check for malicious forwarding rules, filters, and recovery-address changes the attacker may have added to keep reading your mail.

Why should I recover my email before my social accounts?

Your email is the reset point for nearly every other account. As long as an attacker controls it, they can trigger “forgot password” on your Instagram, bank, and more — and intercept the codes. Locking down email first cuts off their ability to walk back into everything else.

How do I recover a hacked Gmail or Outlook account?

Use the provider's recovery page — google.com/accounts/recovery for Gmail or account.live.com/acsr for Outlook. Verify with a recovery phone, secondary email, or a trusted device, then reset the password. Do this from a device you normally use so the system recognizes you and approves recovery faster.

What hidden settings do email hackers leave behind?

After resetting the password, check for traps: auto-forwarding rules sending copies of your mail elsewhere, filters that auto-delete security alerts, a changed recovery email or phone, and added app passwords or connected apps. Attackers use these to keep reading your inbox even after you change the password.

★

★ quick steps

Recover and clean a hacked email account

1
Open provider recovery
Use Google or Microsoft's account-recovery page from a familiar device.
2
Reset the password
Set a unique password and sign out all other sessions.
3
Remove forwarding & filters
Delete unknown forwarding rules, filters, and app passwords.
4
Fix recovery details
Confirm the recovery email and phone are yours, then enable 2FA.

Frequently asked

: Most often through a password reused on another site that was breached, or a phishing page that captured your login. A password manager (unique passwords everywhere) plus 2FA on email closes both doors.

Want a human in your corner?

Locket Security helps creators recover, lock down, and protect every account they monetize — without the enterprise jargon.

See how Locket helps ★

Platform Hardening

How do I secure the email behind my accounts?

Your email controls password resets for everything else, which makes it the most important account you own. Here's how to make it the hardest to crack.

High priorityRead guide →

Password Security

Why is reusing passwords dangerous?

One reused password is the most common reason creators get hacked. Here's the attack behind it — credential stuffing — and how to break the habit.

Medium priorityRead guide →

Password Security

What's the best password manager for creators?

A password manager is the foundation of creator security — it makes unique passwords effortless and lets you share logins with a team without handing over the keys.

Low priorityRead guide →