We mostly assume our email account is secure until we start seeing odd things. Then we worry that we’ve become another victim of a hacked email account and try to find out what to do.
How do I know if my email has been hacked?
- You have 2-3 different people ask about odd emails.
- Your Trash or Sent mail folders have messages you don’t recognize.
- Your email account password stops working.
- You’ve reused your password on another site found in a breach database.
- You see a verified news story about a hack at your email provider.
- Your online account shows access from unexpected locations.
- Your computer was also recently compromised.
No individual test alone is definitive proof that your account was compromised. Let’s walk through each of these tests, how to check them, and some simple steps for fixing the problems.
Table of Contents
- 1. You’re Asked About Odd Emails
- 2. You’re Seeing Strange Emails in Your Account
- 3. Your Email Password Stops Working
- 4. You’ve Found Your Login Info In A Breach Database
- 5. You’re Seeing News Stories About a Hack At Your Email Service
- 6. You’re Notified About Unexpected Location
- 7. Your Computer Was Also Recently Hacked
- Final Thought
- Related Questions & Tips
1. You’re Asked About Odd Emails
One of the first and best signals that your email account may have been compromised can come from your contacts list. If two or three different family members, friends, or work colleagues ask you about an odd email you sent them, this is a reliable indicator. They care about you and their account safety.
Many times the message they receive is a phishing email that might be asking for personal info or a request to review an attachment or link. Since your contacts know you, they’ll often be able to tell that the wording looks suspicious.
If you think something is up, but have not had a friend or family member contact you, you can proactively ask if they have received any emails out of the ordinary. They’re usually more than happy to check their email account especially in the case where their account might be at risk of receiving a compromised email.
Unfortunately, there is not an automated filter to prevent phishing emails from being sent out from your account. Most personal email systems do not have outbound detection.
What you can do: Add a unique and consistent email signature to every outbound email. Be sure to set this up so it’s included at the end of new and reply messages whether you’re on desktop, laptop, tablet, or mobile. Most malware in a compromised account will not take the extra step to add your distinct email signature.
2. You’re Seeing Strange Emails in Your Account
There are two big targets for a hacker trying to get access to your email account.
First, the attacker wants your email contacts list. This will give them the ability to expand their reach. The more people they can potentially attack the higher the likelihood they will reach their goal.
The second target a hacker is after is your “trust line”. This is the more-valuable benefit of accessing your account. The people we like and love in your lives and corporations we do business with trust us. If an email comes from a trusted source, we’re more likely to comply with the request or content of that message.
What you can do: Take a moment right now to review the following within your email account:
- Look at your Sent Messages and Trash folders closely but all your folders, labels, etc need a review. Do you see a password reset email or other unrecognized messages?
- Look for emails with subject lines you do not know. They will stick out.
- Look for emails from people not in your address book or you don’t recognize.
- Look back 1 month. The last few weeks of message history will give you a good idea if you should be concerned.
If you find emails that your 80%+ sure looks suspicious, then mark/report the messages as spam, or drag them to the spam/junk folder. Leaving them in their current location in your account isn’t valuable. By setting these found emails as spam/junk, you’re teaching the security software at your email service provider to recognize future emails.
3. Your Email Password Stops Working
If an attacker gains access to your account, they may change your email password and/or online account settings to stop you from stopping them.
You might notice that one of your logged-in sessions, like webmail or your email app or program, may stop working. It may then prompt you to log back in.
Heads Up: Some email systems require a regular password change for security purposes.
If you do not remember changing your account password recently, this may be an obvious sign that we need to check on.
What you can do: Grab another device, smartphone, tablet, computer, that you do not usually use for email. Launch a web browser and attempt to log into your email account.
Does your password work? If you’re granted access like normal, then you’re probably okay. If your email password is rejected and does not work, then start the account recovery.
Here are simple steps to recover access to your email account:
- The easiest process is to use your regularly-used device. It may still have valid access to your account even if your password was updated. Quickly take this opportunity to update the hacker’s password to a new strong password.
- The next option is to use your email company’s automated recovery process. This varies widely based on your provider. On your webmail login screen, look for a “forgot password” option. The process will usually ask you for additional information from your account. The system may send you a text message, call your phone number, or ask other private information as a way to ensure it’s you.
- Some email service providers offer the ability to use a recovery email address. Since most people have multiple online accounts, unexpected log in details, password updates, as well as account recovery go through your secondary email address.
- The last resort might be to contact your email provider via phone to talk to a representative to help guide you through recovering access. Be prepared to know your login details such as security question answers, addresses on file, etc.
4. You’ve Found Your Login Info In A Breach Database
The number one bad habit for personal account security is using short and commonly-known passwords. This is completely against password best practices.
The second-most-common password mistake is reusing passwords on multiple sites/services.
If you’re not using a password manager, think back. Are you reusing your email account’s password on another service? What happens if a data breach occurs on that other service? Yup. Maybe an attacker got your email username and password from a dark web dump of stolen credentials.
There are a few reputable services that provide reporting on hacks and data breaches. These mass dumps of sensitive data often including service name, email addresses, usernames, passwords, and any other data that has been leaked.
What you can do: Let’s use one a breach database to help identify if your email account username and password have been leaked.
The most widely-respected, easy-to-use, and free-of-charge is Have I Been Pwned(HIBP). On the site, enter your email address and click the “pwned?” button or press Enter your keyboard.
A list of data breaches that contained your email address will display in the results.
A word of caution: Never enter both your email address/username and password on any site other than the one it’s intended for.
Did HIBP show that your email address was hacked on another site/service? Did you reuse the password there? 😟
From here, we need to start using unique passwords on each site/service and, of course, go change your email account’s password immediately.
Go. Now. Seriously. Update it.
While you’re there and if you’ve not already, enable two-factor authentication which may also be called multi-factor or two-step authentication.
5. You’re Seeing News Stories About a Hack At Your Email Service
Data breach databases like the one above will often find and report on password hacks even before the affected company discloses the incident.
Unless you are a nerd (eerrr tech enthusiast) like me you might first hear of a mass leak of credentials via news outlets. This step is a bit of a lagging indicator of a problem with your email account, but worth keeping an eye on as verification.
As long as your news sources are well-known, stories from reputable companies will often help confirm that your account is part of the hack.
What you can do: If you do not read the news or scroll social media, a service like Google Alerts can help by crawling the Internet and alerting data breach stories.
Here’s my search if you’d like to copy-paste it into Google Alerts
(hacking OR hacked) -death -"growth hacking"
You may want to proactively search even if you’ve not seen stories in your regular browsing. Search for some like hack or data breach plus the name of your email provider. Use the time and/or news filters in your favorite, trusted search engine to surface stories.
6. You’re Notified About Unexpected Location
Email service companies record a surprising amount of information about your login activity and general use of their service. One of these is something called an IP address. You can use the IP address history list to help see if someone is accessing your account from another location.
What you can do: In your email provider’s webmail, you can often find the latest or a history of these IP addresses listed.
Here’s where to find login details and IP address history in some of the common email providers:
- Gmail: In Gmail’s webmail, click the “Details” link in the lower right of the page.
- Outlook: Use Microsoft’s Activity page at https://account.live.com/Activity
- Yahoo: Go to the Recent Activity page at https://login.yahoo.com/account/activity
Not every email service gives you access to this history, so you may have to contact their customer support. If the company does not make this list readily available to you, this might be a good indication that they may not have their customers’ data security as a top priority.
Fixing this again depends on your email provider’s capabilities. Gmail, for example, provides the ability for one session to sign out other session locations as seen below.
The most sure-fire fix is to reset your password and turn on two-factor authentication (which should already be on).
7. Your Computer Was Also Recently Hacked
There are loads of malicious software floating around the Internet all operating systems, Windows, macOS, and Linux. In the normal course of using a desktop or laptop computer, you’ll likely need to install some software.
But, if you’ve recently installed new software or clicked attachments or links in emails that infected your computer, there’s an increased risk that your email may also have been hacked.
What you can do: Here are a few security measures to take before you received malware.
- First, consider the security risk of installing the new software.
- Be sure to check the source of the software.
- Keep your operating system up to date.
- Ensure you have malware protection installed, updated, and activated
Note: Both Windows and macOS include malware/antivirus software. Make sure it’s active.
It’s a scary, annoying, and an all-too-often occurrence that email accounts are compromised and exploited. Use the 6 tests above to give you a good action plan on what you can do if you think your email account has been hacked.
Can you get hacked by replying to an email? Replying to an email is relatively safe as long as you are not providing sensitive information. Remember that most emails are like postcards. The to, from, contents, and attachments can be read quite easily throughout the life of that email.
Can you get a virus just by opening an email? Simply opening an email will not cause you to get a virus…most of the time. There are some emails using scripts or carefully-crafted attacks, but they are more rare. Mostly an email virus comes from user interaction like clicking on a link or opening an attachment.
Is have I been pwned a legit site? Yes. The owner and author of this site is Troy Hunt, a well-respected security researcher, educator, and speaker. The Have I Been Pwned (HIBP) mission is to help keep the public aware of data breaches. It is continuously-updated and free-of-charge to use.