Email By Fernanda Schmidt, OSINT Analyst June 20, 2026 7 min read

How to Recover a Hacked Email or Social Media Account

Recover the email tied to the account first, then the account itself. Almost every login resets through email, so if an attacker still controls your inbox, any password you reset on a social app or a bank can be undone in seconds. Lock the inbox, revoke active sessions, restore your recovery options, then work outward to everything that reused the same password.

Speed matters, but order matters more. A frantic password change on the breached account alone often does nothing if the hacker has already added their own phone number or recovery email. This guide walks the recovery in the sequence that actually shuts the attacker out and keeps them out.

The goal is not just getting back in. It is containing the damage: figuring out what they read, what they sent, and which other accounts are now exposed because you reused that password somewhere else.

espectro · email module

Query

[email protected]

Sources checked

Data breachesPaste sitesReused passwordsLinked accountsLogin leaks+

Correlated result

Email found in breaches4 datasets (2 with plaintext password)
Password exposedhu••••••2023 — seen in 3 leaks
Reuse signalSame password pattern on 6+ services
Linked accountsvictim@ • backup phone +1 5••-••89
Most recent leakcombo list, indexed this year

Check this email's exposure → Illustrative example with masked data. Real results vary by what's public.

Shortcut: Before you reset anything, see where your credentials are already circulating: run an exposure check on the compromised email so you fix the actual leak, not just the symptom.

Key takeaways

Recover your email first. It is the master key. Securing a social account while the inbox is still compromised is mostly pointless.
Revoke all active sessions after resetting the password, or the attacker stays logged in on their own device even with your new password.
Check what they changed, not just what they read: recovery email, backup phone, forwarding rules, and connected apps are how they keep a back door open.
Reset every account that reused that password. One stolen password is a master key to your whole reused-credential cluster.
Find out where the breach started with a breach check on your email, so you fix the leak instead of just the symptom.

Why do you recover the email account first?

Your email inbox is the master key to your digital life. The "forgot password" link on almost every other service, your bank, your social profiles, your cloud storage, lands in that inbox. If an attacker controls it, every password you reset elsewhere can be re-reset right back to them. So the recovery sequence always starts here.

If you can still log into your email, change the password immediately and move to the lockdown steps below. If you are already locked out, go straight to the provider's account-recovery flow (Google, Microsoft, and Apple all have one) and be ready to prove identity with an old password, a recovery phone, or a previously trusted device.

Still have access: change the password now, then revoke sessions before doing anything else.
Locked out: use the provider's official recovery form, not a link someone sent you.
Recovery options changed: the attacker likely swapped your backup email or phone. The recovery form lets you flag this and prove the account is yours.

Rule of thumb: until your inbox is fully yours again, treat every other account as still compromised.

What's the exact order to lock the attacker out?

Once you are back in, do these in order. Skipping the session-revoke step is the most common mistake. A new password does not log out the device the attacker is already using. You have to actively kill those sessions.

Most major platforms put all of this under Settings, then Security or Password and security. Look for a "where you're logged in" or "active sessions" panel.

1. Change the password to something long, unique, and never used elsewhere.
2. Revoke all active sessions / log out all devices. This kicks the attacker off their own device instantly.
3. Turn on two-factor authentication using an authenticator app, not SMS where possible.
4. Review recovery settings: remove any phone number or backup email you do not recognize.
5. Check connected apps and third-party access and revoke anything unfamiliar.

Order is everything: password first, then revoke sessions, then 2FA. Do 2FA before revoking and the attacker's live session can sometimes register their own device.

How do you find out what the attacker actually accessed?

Getting back in is half the job. Now figure out what they did while inside, because that tells you who else to warn and which accounts to protect next. Attackers usually do one of three things: read your data, message your contacts to spread the scam, or set up a quiet back door to return later.

Most platforms keep a login history and recent-activity log. Compare the login locations and timestamps against your own movements. Then check what they touched.

Sent and deleted folders: attackers often message contacts ("I'm stuck abroad, send money") and then delete the evidence.
Email forwarding rules: a silent forward to an unknown address is a classic back door. Check filters and forwarding settings.
Password reset emails: search your inbox for "reset your password" to see which other accounts they probed.
Connected devices and OAuth grants: a "Sign in with..." grant they added keeps access even after you change the password.
Profile and recovery changes: altered name, recovery phone, or backup email all point to attempted persistence.

If contacts were messaged, post a quick warning. Scammers exploit the trust your name carries far more than the account itself.

Why do you have to change passwords on other accounts too?

Because one stolen password is rarely just one account. Credential stuffing is the dominant attack today: a hacker takes the email-and-password pair leaked from one breach and replays it automatically against hundreds of other sites. If you reused that password anywhere, those accounts are already exposed, even if they have not been touched yet.

Reset the password on every account that shared the breached one, and prioritize the high-value targets first. Use a unique password per site from now on. A password manager makes this realistic instead of impossible.

Tier 1, do now: banking, primary and secondary email, password manager, cloud storage.
Tier 2, today: social media, shopping accounts with saved cards, anything tied to your phone number.
Tier 3, this week: forums, newsletters, low-value logins that still reused the password.

Never reuse the breached password again, even a "version" of it. Attackers test predictable variants like adding a year or a "!".

How do you find where the breach started?

Fixing the account without finding the leak means it can happen again next month. The starting point is usually a known data breach where your email and password were exposed, or a phishing message that captured your login. An OSINT exposure check shows you which breaches your email appears in and whether the matching password is circulating in plaintext.

Run a breach check on your email to see the datasets involved and the most recent leak date. Pair it with a reverse-email lookup to see which public profiles and accounts are tied to that address, since those are the next targets an attacker would pivot to. From there you can map your digital footprint and close the doors you did not know were open.

Confirm the source: if your password shows up in plaintext in a breach, that breach is almost certainly how they got in.
Check the date: a recent leak means the credentials are fresh and actively traded.
Audit linked accounts: the same email often unlocks a cluster of profiles. Secure all of them, not just the loud one.

The pattern: breach leaks credentials, attacker reuses them, account falls. Break the chain by finding the leak, not just resetting the symptom.

Frequently Asked Questions

What is the very first thing to do when my account is hacked?

Secure the email address tied to the account before anything else. Email is where password resets land, so if the attacker controls your inbox, fixing the social or bank account alone does nothing. Change the email password, then revoke all active sessions to kick the attacker off their device.

Why does the hacker still have access after I change my password?

Changing a password does not automatically log out devices that are already signed in. The attacker's existing session stays active until you revoke it. Look for an "active sessions" or "log out all devices" option in your security settings and use it right after the password change.

Do I really need to change passwords on accounts that weren't hacked?

Yes, if they shared the same password as the breached account. Attackers run that leaked email-and-password pair against hundreds of other sites automatically. Any account that reused the password is already exposed even if it hasn't been touched yet. Give every account a unique password.

How do I know what the hacker did while they were in my account?

Check the recent-activity or login-history log, the sent and deleted message folders, and your email forwarding and filter rules. Attackers often message your contacts to spread a scam and set up a silent forward as a back door. Also review connected apps and any changed recovery email or phone number.

How can I find out how my account got hacked in the first place?

Run a breach exposure check on your email. It shows which known data breaches contain your address and whether the matching password is circulating in plaintext. If your password appears in a recent leak, that breach is almost certainly the source, and the fix is to stop reusing that credential everywhere.

Conclusion

Recovering a hacked account is a sequence, not a single click: secure the email, revoke active sessions, restore your recovery settings, then reset every account that reused the password. Containing the damage means checking what the attacker read, sent, and quietly changed, then closing the back doors before they return. Start by finding where your credentials leaked, then lock down every account that shares them so the same breach can't bite twice.