Table of Contents
Key Takeaways
- Start at HaveIBeenPwned.com — one search tells you which past breaches exposed your email and what data leaked.
- Check your email’s recent login history for unfamiliar devices, countries, or IP addresses right now.
- Inspect hidden forwarding rules and filters — attackers often silently forward emails to their own address and leave no other trace.
- Full recovery: change password, revoke app passwords, enable 2FA with an authenticator app, and sign out all sessions.
- Rotate passwords on any account tied to that email — attackers use leaked credentials to pivot into banking, social, and cloud accounts.
Billions of email credentials have been exposed in data breaches over the past decade, and attackers routinely test stolen credentials automatically. Signs that your email was hacked range from obvious (contacts receiving spam from you, locked out of your account) to invisible (attacker silently forwarding your emails elsewhere). This guide walks through exactly how to check if your email was hacked—using free tools—and the complete step-by-step recovery process if it has been.
Step 1: Check HaveIBeenPwned.com
The fastest way to check if your email address appeared in a data breach is haveibeenpwned.com—a free service maintained by security researcher Troy Hunt that aggregates credentials from thousands of publicly leaked breach databases.
- Go to haveibeenpwned.com (no account required)
- Enter your email address in the search box
- Press Enter or click “pwned?”
Green result (“Good news”): Your email was not found in known breach databases. This does not guarantee you were never compromised—unindexed or private breaches exist—but it means your credentials have not been publicly exposed in known dumps.
Red result (“Oh no — pwned!”): Your email appeared in one or more breaches. The result shows the breach name, date, and what data was exposed (passwords, phone numbers, addresses). Important: appearing in a breach does not automatically mean your current account is compromised—it means your credentials from that breach were exposed. If you changed your password after the breach date, you may be fine. If you reused that password elsewhere, you are not.
Also check the Passwords tab at haveibeenpwned.com/passwords—enter a password to see if it appears in any breach dump. The service uses k-anonymity, so your full password is never transmitted.
Step 2: Check Your Email Login History for Suspicious Activity
For Gmail:
- Go to myaccount.google.com/security → scroll to “Recent security activity” to see logins, password changes, and 2FA events with device/location/time.
- In Gmail itself: scroll to the bottom of any inbox page and click “Details” (bottom-right corner) → shows last 10 active sessions with IP address, device type, location, and time. Use “Sign out all other sessions” if you see unfamiliar logins.
- Full device list: myaccount.google.com/device-activity
For Outlook / Microsoft:
- Go to account.microsoft.com/security → click “Review activity” → “See my activity”
- Shows successful and failed sign-in attempts with device, location, browser, and date/time
- You can flag suspicious entries directly from this page
- Active sessions and devices: account.microsoft.com/devices
Look for logins from unfamiliar countries or cities, unusual times (3am when you were asleep), or device types you don’t own.
Step 3: Check for Hidden Email Forwarding Rules
This is the step most people miss. When attackers gain access to an email account, they often set up silent forwarding rules that copy every incoming email to an address they control—so they can continue reading your emails even after you change your password. Always check this if you suspect a breach.
In Gmail: Click the gear icon → “See all settings” → check both the Filters and Blocked Addresses tab (delete any rules you didn’t create) and the Forwarding and POP/IMAP tab (remove any unauthorized forwarding addresses). Also check Accounts and Import → “Send mail as” for any aliases you didn’t add. Note: mobile apps do not show forwarding rules—you must check via a browser.
In Outlook (web): Go to Settings → Mail → Rules (delete unknown rules) and Settings → Mail → Forwarding (disable any unauthorized forwarding).
Step 4: Full Recovery — Secure Your Account
If you found evidence of a breach, complete all of these steps in order:
- Change your password immediately — Use a unique password of 16+ characters. Store it in a password manager (Bitwarden free, 1Password paid). Never reuse passwords across accounts.
- Enable two-factor authentication (2FA) — Gmail: myaccount.google.com/two-step-verification; Outlook: account.microsoft.com/security. Use an authenticator app (Google Authenticator, Authy) rather than SMS—SMS codes can be intercepted via SIM-swap attacks.
- Verify recovery info is still yours — Check that the recovery email address and phone number haven’t been changed by the attacker. Attackers change these to lock you out permanently.
- Revoke app access — Gmail: myaccount.google.com/permissions; Microsoft: account.microsoft.com/privacy/app-access. Remove any third-party apps you don’t recognize.
- Review and delete forwarding rules — As covered in Step 3 above.
- Check connected accounts — Any service where you used “Sign in with Google/Microsoft” may also be at risk. Review and re-secure the most sensitive ones (banking, financial services).
For more security tools and guides, see our Security section including our best free antivirus guide.
Common Questions — How to Check If Your Email Was Hacked
Q: How do I know if someone is reading my emails without my knowledge?
A: The most reliable indicator is a hidden forwarding rule. In Gmail, go to Settings → Forwarding and POP/IMAP and check for any unauthorized forwarding addresses. Also check your Filters tab for rules that mark emails as read or delete them automatically—attackers use these to hide their activity. Checking your login history at myaccount.google.com/security also reveals unfamiliar device or location access.
Q: My email shows up on HaveIBeenPwned — what should I do?
A: Check which breach it appeared in and what data was exposed. If a password was exposed and you still use that password anywhere, change it on every site that used it—immediately. Change your email account password even if it was not directly exposed in the breach (credential stuffing attacks try breach passwords on other services automatically). Enable 2FA if you haven’t already.
Q: Can I recover my email account if the password was changed by a hacker?
A: Yes. Use the account recovery process: for Gmail, go to accounts.google.com/signin/recovery; for Microsoft, go to account.live.com/acsr. You will need access to a recovery email or phone number. If the attacker changed those too, you will need to prove identity through the provider’s manual review process, which may take several days. This is why keeping recovery info current and verified matters.
Q: What is the strongest 2FA method for email in 2026?
A: In order of strength: (1) Hardware security key (YubiKey, Google Titan)—phishing-resistant, cannot be intercepted; (2) Authenticator app (Google Authenticator, Authy, Bitwarden TOTP)—no SMS interception risk; (3) SMS/text codes—better than nothing but vulnerable to SIM-swap attacks and should be avoided for email accounts containing sensitive data. For most users, an authenticator app provides excellent security with reasonable convenience.
{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[ {“@type”:”Question”,”name”:”How do I know if someone is reading my emails without my knowledge?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Check for hidden forwarding rules: Gmail Settings → Forwarding and POP/IMAP and Filters tabs. Also check login history at myaccount.google.com/security for unfamiliar device or location access. Mobile apps don’t show forwarding rules — always check via browser.”}}, {“@type”:”Question”,”name”:”My email shows up on HaveIBeenPwned — what should I do?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Check which breach it appeared in. If a password was exposed and you use it anywhere, change it on every site immediately. Change your email password even if not directly exposed — credential stuffing attacks try breach passwords on other services automatically. Enable 2FA.”}}, {“@type”:”Question”,”name”:”Can I recover my email account if the password was changed by a hacker?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Yes. Use Gmail account recovery at accounts.google.com/signin/recovery or Microsoft at account.live.com/acsr. You’ll need a recovery email or phone number. If those were changed too, use the provider’s manual identity review process.”}}, {“@type”:”Question”,”name”:”What is the strongest 2FA method for email in 2026?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”1) Hardware security key (YubiKey, Google Titan) — phishing-resistant. 2) Authenticator app (Google Authenticator, Authy) — no SMS interception risk. 3) SMS codes — avoid for sensitive accounts as they’re vulnerable to SIM-swap attacks.”}} ]}Last Updated: April 13, 2026
