Google Account Hacked: How to Recover and Secure Everything

Not every suspicious event means a hack, but several signs together should raise immediate concern:

• Unfamiliar sign-in alerts – Google sends notifications about logins from new devices or locations. If you see one you don't recognize, take it seriously.
• Password no longer works – if you're suddenly locked out despite not changing anything, someone else likely did.
• Recovery email or phone changed – check your Google Security settings. If your recovery details look unfamiliar, an attacker may have replaced them.
• Sent emails you didn't write – check your Gmail "Sent" folder for messages you don't recognize, especially password resets or spam.
• Security alerts from Google – Google proactively warns about suspicious activity. Don't ignore these emails.

If you notice even two of these signs, treat it as a confirmed incident and move to immediate action.

Speed matters. The longer an attacker holds your account, the more damage they can do and the harder recovery becomes.

• Try to sign in immediately – go to accounts.google.com. If you can still log in, you have the advantage.
• Change your password – use a completely new, unique password. Never reuse one from another service.
• Review active sessions – in Google Security settings, check "Your devices" and sign out anything unfamiliar.
• Check recovery info – verify that your recovery email and phone number are still yours. If not, change them back now.
• Check for forwarding rules – in Gmail settings, look for any forwarding addresses or filters you didn't create. Attackers often set these up to silently receive copies of your emails.

If you can't sign in at all, skip directly to the recovery process. Don't waste time on repeated login attempts – they can trigger rate limits.

Google's official recovery page at accounts.google.com/signin/recovery is the primary way to regain access when you're locked out. Here's how to approach it effectively:

• Use a familiar device and network – Google considers the device, browser and location you're recovering from. Use the same computer or phone you normally sign in with.
• Enter your email address and follow the prompts. Google may ask you to enter the last password you remember, receive a code on your recovery phone, or verify via a recovery email.
• Answer questions accurately – if Google asks when you created the account or other security questions, answer as precisely as you can.
• Be patient and consistent – if your first attempt doesn't work, wait a few hours before trying again. Multiple rapid attempts from different devices reduce your credibility in Google's system.

Google's recovery system is algorithmic – it weighs multiple trust signals. A calm, consistent approach from a recognized device works better than frantic attempts from new locations.

This is the most difficult scenario: the attacker has replaced your recovery channels, effectively cutting off standard recovery paths. But it's not hopeless.

• Try older recovery info – Google sometimes accepts previously linked phone numbers or email addresses, even if they're no longer the current recovery option.
• Use the recovery page anyway – even without current recovery info, Google may offer identity verification through other signals: device history, account creation date, or recently used passwords.
• Check for active sessions – if you're still signed in on any device (phone, tablet, old laptop), use that session to regain control before the attacker revokes it.
• Submit an identity verification request – for accounts with significant history, Google may allow manual verification through a series of questions.

If you've tried all available options and remain locked out, the situation likely requires a more systematic approach. See the section on what to do when recovery doesn't work for additional strategies.

Recovering access is only half the job. If you don't close the original vulnerability, the attacker can get back in. After regaining control:

• Set a strong, unique password – at least 12 characters, never used anywhere else.
• Review and update recovery info – make sure both your recovery email and phone number are correct and secure.
• Enable two-factor authentication – SMS-based 2FA is the most practical option for most users. See the 2FA section below for details.
• Revoke suspicious third-party access – check "Third-party apps with account access" in your Google Security settings and remove anything you don't recognize.
• Review Gmail filters and forwarding – remove any forwarding rules or filters the attacker may have created.
• Check Google Pay and saved payment methods – if financial data is linked, verify nothing was added or changed.

Think of this as a full security audit, not just a password change. If you want to make sure nothing is missed, our guide on protecting your accounts covers the complete checklist.

A Google account isn't just email. When it's compromised, the blast radius extends to every connected service:

• YouTube – the attacker can upload content, change your channel name, delete videos, or use your channel for scams. Monetized channels are especially targeted.
• Google Drive – personal documents, shared files, photos and sensitive data may be exposed or deleted.
• Google Photos – private images backed up automatically can be accessed or downloaded.
• Google Calendar – appointments, meeting links and contact details become visible.
• Chrome browser – saved passwords, bookmarks and browsing history sync to the compromised account.
• Third-party logins – any service where you use "Sign in with Google" is now accessible to the attacker.

After recovery, audit each of these services individually. Pay special attention to securing your email first, since it's the foundation everything else depends on.

If you use an Android phone or tablet, a compromised Google account is especially dangerous. The attacker can potentially:

• Track your location via Google Maps timeline or Find My Device
• Read your messages if Google Messages backup is enabled
• Install apps remotely through the Google Play Store
• Access your contacts synced with Google
• Lock or wipe your device using Find My Device

After recovering your Google account, immediately check your Android device security: review installed apps, check that Find My Device is under your control, and verify no unfamiliar device management profiles have been added. If you suspect the phone itself is compromised, a factory reset may be necessary after backing up essential data.

Two-factor authentication adds a second verification step beyond your password. For most users, SMS-based 2FA is the most practical and reliable choice – it works on any phone, requires no extra apps, and is easy to set up.

To enable SMS 2FA on Google:

• Go to myaccount.google.com → Security → 2-Step Verification
• Click "Get started" and sign in
• Enter your phone number and choose to receive codes via text message
• Enter the verification code Google sends to confirm

While authenticator apps and security keys offer additional options, SMS 2FA provides strong protection without complexity. The most important thing is to have some form of 2FA active – a phone number you control is the fastest way to get there.

For a deeper understanding of all 2FA types, see our complete guide to two-factor authentication.

Not every hacked Google account requires outside help. But certain situations go beyond what self-service recovery can solve:

• Recovery attempts have failed repeatedly over several days
• Both recovery email and phone number were changed by the attacker
• The attacker enabled their own 2FA on your account
• The account is linked to business operations, financial services, or a YouTube channel with revenue
• You suspect the problem extends beyond Google – compromised device or hacked email

In these cases, a structured professional approach can identify the root cause and recover the account without the trial-and-error that often makes things worse. RelyShield specializes in exactly these situations.