Gmail login error screen

How to Recover a Hacked Gmail Account — Complete Recovery Guide

by
TL;DR: If your Gmail is hacked, act in this order: try Google’s account recovery form immediately from a device you’ve used before, change your password, sign out of all devices, check forwarding/filters/recovery settings for sneaky changes, and enable 2FA. If you can’t recover within 7 days, fill out the form again from a familiar location — Google’s recovery algorithm weighs recognized devices heavily.

The first hacked Gmail I helped recover was a client’s in 2018. He’d reused the same password across about 40 sites, one of those sites got breached, and the attacker quietly added a forwarding rule before changing the password. He noticed three weeks later when his accountant flagged a wire-transfer email he never sent.

Since then I’ve walked friends, family, and clients through Gmail recovery dozens of times. Some take 10 minutes. Some take 11 weeks. The difference comes down to two things: how fast you act, and whether you submit the recovery form from a device Google already trusts.

Gmail login error screen

How do I know if my Gmail was actually hacked?

Common signs of a Gmail compromise:

  • You can’t sign in even though you’re sure of the password
  • People reply to emails you never sent
  • You see strange activity in myaccount.google.com → “Recent security activity” or “Your devices”
  • Emails are missing from your inbox or sent folder
  • A forwarding rule appears in Settings → Forwarding (Gmail web)
  • You get a “Critical security alert” email from Google about a new sign-in

If you can still log in and just see suspicious activity, you have it easier — skip to the “lockdown” section below. If you’re fully locked out, start with recovery.

Step 1: Try Google’s account recovery form

This is the official starting point and works for the majority of cases. Two ground rules: use a device you’ve signed into the account from before (your usual laptop or phone), and use the same Wi-Fi network you typically use. Google’s recovery algorithm pays close attention to both.

  1. Go to accounts.google.com/signin/recovery.
  2. Enter the email address you can’t access. Click Next.
  3. Google will ask you to enter the last password you remember. Use whichever one you’re most confident is correct, even if it’s older — the system is more forgiving than you’d think.
  4. If you have a recovery phone or email set up, Google will offer to send a code. Use it.
  5. If those fail, click “Try another way” repeatedly until you reach the recovery questionnaire — Google asks when you created the account, what apps you commonly use it for, and a couple of other items.
  6. Submit. If approved, you’ll be prompted to set a new password.
Google account recovery form

If you get a “Google couldn’t verify this account belongs to you” message, that doesn’t mean game over. Wait 24 hours and try again from a device and network you’ve used before. The recovery model gets stricter the more times you fail in quick succession.

Step 2: Lock the account down once you’re back in

The moment you regain access, do these six things in order. Don’t skip any — the attacker may have set up persistence mechanisms.

  1. Change your password to something unique and strong. Use your password manager to generate it — see my 2026 password manager guide if you don’t have one.
  2. Sign out of all other sessions. Go to myaccount.google.com/security → “Your devices” → click the dropdown next to anything you don’t recognize → “Sign out”.
  3. Check forwarding settings. Open Gmail → gear icon → “See all settings” → “Forwarding and POP/IMAP”. Delete anything you didn’t set up. This is the #1 persistence trick attackers use.
  4. Check filters. Same Settings panel → “Filters and Blocked Addresses”. Attackers often add a filter that auto-archives or deletes Google security alerts so you don’t see them.
  5. Check recovery email and phone. Go to myaccount.google.com → “How you sign in to Google” → “Recovery email” and “Recovery phone”. Make sure both are yours, not the attacker’s.
  6. Check connected apps. “Your connections to third-party apps” — revoke anything you don’t actively use.
Gmail settings forwarding section

Step 3: Turn on 2-Step Verification immediately

If you didn’t already have it on, that’s how this happened in the first place. Turn it on right now. The walkthrough lives in my two-factor authentication setup guide, but the short version:

  • Go to myaccount.google.com/security → “2-Step Verification” → Get started.
  • Set up an authenticator app (Microsoft Authenticator or Authy) as your primary second factor.
  • Generate and save 10 backup codes in a safe place.

If this Gmail address is your most important account (which for most people it is), I’d also recommend adding a YubiKey hardware key. About $30 USD / C$42 from yubico.com.

What if Google’s recovery form keeps rejecting me?

This is where it gets frustrating. Google has no live human support for free Gmail accounts. Your options:

  • Wait 7 days and retry from a familiar device. The algorithm de-weights recent failed attempts. Submitting from your home Wi-Fi on the laptop you usually use makes a big difference.
  • Fill in as much detail as the questionnaire allows. Account creation month and year, recent apps you used, devices you typically sign in from — answer everything. The more correct details, the more likely the system trusts you.
  • Try a different recovery flow. If you have Android devices signed into the account, sign into Google on those devices first — sometimes that re-establishes trust and lets you reset the password.
  • If the account is paid (Google Workspace), contact your domain admin or Google Workspace support — they have a human-staffed channel.
laptop with security padlock graphic

What about all the other accounts linked to this Gmail?

Here’s the part most recovery guides miss. If your Gmail was breached, every account that uses that Gmail for password reset is at risk. The attacker may have already reset some of them.

Make a list and check each one:

  1. Bank and financial accounts — log in directly, check for unfamiliar logins or pending transfers
  2. Social media (Facebook, Instagram, X, LinkedIn) — log in, check for posts you didn’t make, change the email or password
  3. Amazon, eBay, any shopping accounts — check the recent order history
  4. Cloud storage (Google Drive, Dropbox, OneDrive)
  5. Cryptocurrency exchanges — these are top targets, change passwords immediately

For each one: change the password, enable 2FA if you haven’t, and check for unfamiliar login locations.

How did this happen in the first place?

Almost every Gmail compromise I’ve seen falls into one of four buckets:

  • Password reuse — same password leaked from a different site (check haveibeenpwned.com with your email)
  • Phishing — clicked a fake Google login link and entered credentials
  • Malware — a keylogger or credential-stealing malware on your device
  • SIM swap — attacker took over your phone number and used SMS reset

Once you’re back in, run a malware scan (Windows Security on Windows 11, or pick a third-party tool from my free antivirus comparison) to rule out a keylogger. If you’re not sure how the compromise happened, treat all your devices as suspect for a week.

Frequently Asked Questions

How long does Gmail recovery actually take?

For most people who set up recovery info ahead of time, it’s a 5-minute process. For people with no recovery email, no recovery phone, and no familiar device, recovery can take days to weeks — or never. Google’s algorithm doesn’t have a customer service phone number to escalate to.

Can Google permanently delete my account if it stays hacked?

Not automatically. Your account stays alive whether you control it or not. Google will only intervene if the attacker uses it for clear policy violations (spam, illegal content). The longer it stays compromised, the more damage the attacker can do — recover as fast as possible.

Should I just create a new Gmail account?

Only as a last resort. Your old Gmail is the recovery email for dozens of other accounts. If you abandon it, the attacker still controls the recovery path for all of them. Try recovery first, and only create a new one if Google formally locks you out permanently.

Will Google notify me when someone logs in from a new device?

Yes — and these emails are the canary in the coal mine. If you see a “Critical security alert” from Google in your inbox and don’t recognize the device or location, act immediately. Don’t dismiss it as a false alarm.

Is it worth paying for Google One for extra security?

Google One subscribers ($1.99/mo and up, USD) get access to the Google One Security feature and dark-web monitoring. It’s useful but not strictly necessary. For most people, free 2FA + a password manager + a YubiKey is stronger protection than the Google One upgrade.

Once you’re back in, lock down everything else: my 2FA guide and the 2026 password manager comparison are the natural follow-ups. For overall device security, see free antivirus for Windows 11.

— Mark Thompson, Toronto