How to Check If Your Email Has Been Hacked (2026 Guide)
Think your email might be compromised? Here is exactly how to check if your email has been hacked, what to do if it has, and how to prevent it from happening again.
Data breaches happen constantly. LinkedIn, Facebook, Twitter, Dropbox, Adobe, and thousands of other services have been breached over the years. If you have been on the internet for more than a few years, your email address has almost certainly appeared in at least one breach.
The question is not if your email has been exposed. It is how bad the exposure is and what you should do about it.
Step 1: Check Have I Been Pwned
The fastest way to check is Have I Been Pwned (haveibeenpwned.com), a free service created by security researcher Troy Hunt.
How to Use It
- Go to haveibeenpwned.com
- Enter your email address
- Click "pwned?"
- Check the results
If your email appears in breaches, you will see:
- Which services were breached
- When the breach happened
- What data was exposed (email, password, name, phone, etc.)
What the Results Mean
- Paste - Your credentials appeared in a publicly dumped text file
- Breach - A specific service was hacked and your data was part of it
- Sensitive breach - The breach is not publicly searchable (adult sites, etc.)
Most people see 3-10 breaches. This is normal given how many breaches have occurred. What matters is what you do next.
Step 2: Check Your Password Exposure
Have I Been Pwned also lets you check specific passwords at haveibeenpwned.com/Passwords.
This checks if a password has appeared in any known data breach. If it has, stop using it everywhere immediately.
Important: The site uses a k-anonymity model. It does not send your full password to the server. Only the first 5 characters of the SHA-1 hash are sent, so it is safe to use.
Step 3: Check Google's Security Dashboard
If you use Gmail, Google tracks security events for your account:
- Go to myaccount.google.com/security
- Check "Recent security activity"
- Look for sign-ins you do not recognize
- Review "Your devices" for unknown devices
Warning Signs
- Sign-ins from locations you have never been
- Devices you do not own listed as active
- Security alerts you did not trigger
- Recovery email or phone changed without your knowledge
Step 4: Check Your Email Provider's Activity
Gmail
- Click your profile picture and then "Manage your Google Account"
- Go to Security and then "Recent security activity"
- Scroll down to "Last account activity" in Gmail
Outlook/Microsoft
- Go to account.microsoft.com/security
- Click "Review activity"
- Check for unfamiliar sign-ins
Yahoo
- Go to login.yahoo.com/account/activity
- Review recent sign-in activity
Signs Your Email Is Already Hacked
If any of these are happening, your account may be compromised:
- Emails you did not send appear in your Sent folder
- Password reset emails arriving for accounts you did not request
- Friends receiving spam from your email address
- Missing emails - someone is reading and deleting them
- Account settings changed - signature, forwarding rules, recovery info modified
- Cannot log in - password was changed by someone else
- Unknown apps have access to your account
What to Do If Your Email Is Hacked
Immediate Steps
1. Change your password immediately
Create a strong, unique password. At least 16 characters with a mix of letters, numbers, and symbols. Better yet, use a password manager to generate one.
2. Enable two-factor authentication (2FA)
Turn on 2FA right now. Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) instead of SMS. SMS can be intercepted through SIM swapping.
3. Check forwarding rules
Hackers often set up email forwarding to receive copies of your incoming emails. Check:
- Gmail: Settings then "Forwarding and POP/IMAP"
- Outlook: Settings then "Mail" then "Forwarding"
- Remove any forwarding addresses you did not add
4. Review connected apps
Remove any third-party apps you do not recognize:
- Gmail: myaccount.google.com/permissions
- Outlook: account.microsoft.com/consent/manage
- Revoke access for anything suspicious
5. Check recovery settings
Make sure the recovery email and phone number are yours. Hackers change these to maintain access even after you change your password.
After Securing Your Email
6. Change passwords on important accounts
Start with:
- Banking and financial services
- Social media accounts
- Shopping sites (Amazon, etc.)
- Cloud storage (Google Drive, Dropbox, iCloud)
- Any account using the same password as your email
7. Check financial accounts
Review bank statements and credit card transactions for unauthorized activity. Set up transaction alerts if your bank offers them.
8. Warn your contacts
If spam was sent from your account, let your contacts know not to click any links in those emails.
How to Prevent Email Hacks
Use a Password Manager
Stop reusing passwords. A password manager like Bitwarden (free) or 1Password generates and stores unique passwords for every account.
Enable 2FA Everywhere
Two-factor authentication blocks 99.9% of automated attacks according to Microsoft. Use it on every account that supports it.
Watch for Phishing
Most email hacks start with phishing. Here is how to spot phishing emails:
- Sender address does not match the company domain
- Urgent language ("Your account will be closed!")
- Links that go to unfamiliar URLs (hover before clicking)
- Attachments you were not expecting
- Poor grammar and formatting
Keep Software Updated
Outdated browsers and email apps have known vulnerabilities. Enable automatic updates.
Use Unique Emails for Important Services
Consider using email aliases. Services like SimpleLogin or Apple's Hide My Email create unique addresses for each service, so if one gets breached, your main email stays safe.
Free Tools to Monitor Your Email Security
| Tool | What It Does | Cost |
|---|---|---|
| Have I Been Pwned | Checks email in data breaches | Free |
| Firefox Monitor | Same data, Mozilla interface | Free |
| Google Security Checkup | Reviews Google account security | Free |
| Bitwarden Vault Health | Checks for weak/reused passwords | Free |
| Apple Passwords Security | Monitors for breached passwords | Free (Apple) |
How Often Should You Check
- Monthly: Run your email through Have I Been Pwned
- Weekly: Glance at your email account's recent activity
- Immediately: When you hear about a major breach in the news
- Always: Keep 2FA enabled and use unique passwords
Bottom Line
Your email is the key to almost every online account. If someone controls your email, they can reset passwords on your bank, social media, and everything else.
Check your email on Have I Been Pwned right now. Enable 2FA. Use a password manager. These three steps stop the vast majority of email-based attacks.
Share this article
Written by
Ali RehmanAuthor at ByteVerse
A Full Stack Developer and Tech Writer specializing in React.js, Next.js, and modern JavaScript, sharing insights on web development, frontend technologies, backend APIs, and scalable applications.
View all posts
