X

Gmail Hacked? How to Get Your Account Back and Tighten Your Security

Gmail accounts are being compromised in a sophisticated phishing attack. If you lost access to your account, here's what you can do – and how to be better prepared.

Headshot of Blake Stimac
Headshot of Blake Stimac
Blake Stimac Writer
Blake has over a decade of experience writing for the web, with a focus on mobile phones, where he covered the smartphone boom of the 2010s and the broader tech scene. When he's not in front of a keyboard, you'll most likely find him playing video games, watching horror flicks, or hunting down a good churro.
Blake Stimac
5 min read
Google's Gmail email

Here's how to go about recovering a hacked Gmail account and other security measures you can put in place. 

 James Martin/CNET

Gmail users are again falling victim to a sophisticated phishing attack that is locking victims out of their accounts. While these sorts of attacks are nothing new, cybercriminals now have AI on their side to help them come up with new ways to trick people into falling for their traps. 

Right now, that trickery is taking the form of an email that looks convincingly like it's from Google, with an urgent call to action regarding a legal matter and a link for more information, according to a report from Forbes published on April 21. 

But if you interact with the email, your credentials could be stolen, your password changed and new security measures put in place to keep you from getting back into your account. If you find yourself in this boat -- from this phishing attack or another -- hope isn't lost. If you have the proper measures in place and you act quickly, you can regain access.

A Google spokesperson told Forbes that a fix for this particular scenario will soon be deployed.

Read on to find out what to do in case your Gmail account is hacked and you can no longer log in. We'll also throw in some additional security measures so you can potentially make your account less vulnerable. 

For more, don't miss Android security and privacy features you should know about.

If your Gmail account was compromised, do this

This particular attack isn't necessarily special, but it does show that cybercriminals are relentless in looking to gain access to user accounts by creating increasingly sophisticated methods of attack. And it is all too easy to fall victim to phishing attacks. Gmail is the most popular email service, so it makes sense for the bad guys to prioritize it. Google even has a quiz to help you spot these types of emails. 

If you had your account hacked, regaining access can be tricky. What information and recovery measures were in place will play a factor in your success and in the time it could take to recover your account. 

Start by going to https://accounts.google.com/signin/recovery and answer the questions to the best of your ability. If you had any additional emails or phone numbers associated with your account, this information may be able to help you, even if it's been removed from your account. Google has additional tips that may help you when completing the account recovery module, like making sure you're completing these steps in a familiar location and with a familiar device. 

After some digging, including going through a series of help requests about a compromised account, the writer of the Forbes report was able to receive a callback from Google directly. A key factor here, though, was that it required the Google One Premium subscription that offers additional storage, AI features and other benefits.

Prevention is the best method: How to secure your Gmail account

There's a reason why you'll find more support articles from Google that will show you how to prevent bad actors from getting into and wreaking havoc on your Gmail account than you'll find articles about recovering from a phishing attack. That's because it's much easier to prevent a hack than it is to prove you're the one trying to regain access to your account. 

If you're luckily reading this as a preventive measure to protect your Gmail account, here are things you can and should do to keep your account safe. 

One of the easiest ways to increase the security of your account is adding a recovery email and phone number to your account account. Here's how to do it.

  • From your computer, head to myaccount.google.com and login to your account
  • Click on the Security tab on the left side panel
  • Under the How you sign in to Google section, click Add an email address next to Recovery email. You can add a phone number in this section by clicking 2-Step Verification phone.
  • Both of these methods will require verification before they're added to your account.

Additional security measures you should enable 

By adding a recovery phone and email to your Google account, you'll save yourself a lot of time if you need to confirm your identity to regain access to your account, but that's essentially the bare minimum. There's still so much more you can do to protect your Google account, which will in turn protect your Gmail account. 

True, additional security can come at the expense of convenience. Some of the methods may be slightly less secure but keep your convenience balanced, where others may be much more secure and the convenience dial turned all the way down. 

The security focus is primarily going to be enabling two-step verification when you sign into your Google account or any of its apps, like Gmail.

Two-step verification options

There are a handful of ways to add a second layer of security when signing into your Google account. You can enable one or more at a time. 

  • Passkeys - You can save a passkey to your device that can be used instead of logging in with a password. Passkeys, which are secure, FIDO credentials, can be saved with password managers on computers or mobile devices and just need to be verified with biometrics or a PIN. 
  • Security Key - This is probably the most secure but most inconvenient method. It will require you to purchase a physical security key and insert it into the device you're trying to log into. There are several NFC-enabled security keys available as well. 
  • Two-step verification phone - With this enabled, you'll be sent a code via text message that you can input into the device you're signing into. SMS has its own security concerns, though. 
  • Authenticator app - This method requires a one-time setup for your account. Once it's enabled, you'll be asked to provide a temporary code from your authenticator app in order to log in. 
  • Google prompt - This method is very convenient. You'll receive a popup on your phone from Google that you'll need to tap to confirm it's you that's logging into your account on a new device. 
  • Backup codes - This method will generate a series of unique codes that you store in a safe place and can use when you get locked out of your account. 

Consider the Google Advanced Protection Program 

Google offers an advanced protection program that doubles down on security. The above two-step verification methods will typically be enough for you to skip your login credentials, but the Google Advanced Protection Program requires you to use a passkey or security key and your login credentials to access your account. Google encourages journalists, activists, business executives and people involved in elections to enroll, but it's a free program that anyone can use

For more, check out our Cybersecurity hub.