Skip to main content
Skip to article content

Password Recovery After Being Hacked: A Step-by-Step Guide

By SO Email Security10 min read estimated reading time

A complete guide to password recovery after a hack. Covers how account takeovers work, how to detect them, step-by-step recovery, incident response, and prevention. Includes verifiable sources from CISA, FBI, and NIST.

password recoveryaccount takeoverhacked accountcredential theftMFAcyber incident responseidentity theftemail securityphishingNISTCISAFBI IC3

Password Recovery After Being Hacked: A Step-by-Step Guide

What Is the First Thing to Do When Your Password Has Been Hacked?

If your account has been compromised, change your password immediately from a separate, trusted device, enable multi-factor authentication on all affected accounts, and revoke all active sessions. If financial credentials were involved, contact your bank's fraud line directly using the number on the back of your card. Do not use any links from emails you received during the incident. Speed is the single most important factor in limiting damage.

What Does Password Recovery After Being Hacked Mean?

Password recovery after being hacked refers to the process of regaining access to accounts that have been taken over by an unauthorized party, securing those accounts against further compromise, and containing the downstream damage caused by the initial breach.

Account takeover (ATO) is the term used by the cybersecurity industry to describe the unauthorized access to an account using stolen or guessed credentials. Unlike a forgotten password, a hacked account involves an active adversary who may still have access, may have changed recovery information, and may be actively exfiltrating data or escalating their access to other systems.

Password recovery in this context is not simply resetting a password. It involves a sequence of containment, verification, remediation, and hardening steps that must be executed in the correct order to be effective.

According to the National Institute of Standards and Technology (NIST), identity and access management recovery procedures should include credential invalidation, session termination, and activity log review as the minimum baseline response to a suspected account takeover.

Why Does Password Recovery After a Hack Matter So Much?

Account takeovers are among the most common and costly cyber incidents affecting individuals and organizations. The consequences extend well beyond the compromised account.

The FBI Internet Crime Complaint Center (IC3) reported in its 2023 Internet Crime Report that business email compromise and account takeover schemes caused over $2.9 billion in losses in the United States alone. Credential-based attacks represented the leading initial access vector across all reported incidents.

The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in 77 percent of basic web application attacks and 31 percent of all breaches overall.

CISA's Known Exploited Vulnerabilities catalog and its Cybersecurity Advisories consistently identify credential theft as the primary enabler of ransomware, data exfiltration, and supply chain compromise. In its advisory on protecting against account compromise, CISA states that phishing and credential stuffing are the two most common pathways to unauthorized account access.

Once an attacker has your credentials, the average time to lateral movement within an organization is under two hours, according to the 2024 CrowdStrike Global Threat Report. For individual accounts, unauthorized financial transactions and data exfiltration typically begin within 30 minutes of successful account access.

The window between a successful credential theft and the completion of fraud is shrinking. Prompt, structured password recovery is not optional. It is the primary control standing between an attacker and the full scope of what your account can access.

How Does a Password Get Stolen? A Step-by-Step Breakdown

Understanding how credentials are stolen is essential to executing effective recovery and preventing recurrence.

Step 1: Initial Access via Phishing or Credential Stuffing

The most common method of credential theft is phishing. An attacker sends an email, text, or social media message that directs the victim to a fake login page. The page captures the entered credentials and forwards them to the attacker in real time, while redirecting the victim to the legitimate site to avoid detection.

Credential stuffing is the second most common method. Attackers use lists of username and password combinations leaked in prior data breaches to attempt automated logins across hundreds of services. Because many people reuse passwords across accounts, a breach at one service can expose accounts at dozens of others. According to research published by SpyCloud, 64 percent of users reuse the same password across multiple accounts.

Step 2: Session Hijacking or Token Theft

Some attackers bypass the password entirely using session token theft. Browser cookies and authentication tokens, if stolen through malware or a man-in-the-browser attack, allow an attacker to authenticate as the victim without needing the password at all. This technique bypasses traditional multi-factor authentication.

Step 3: Silent Reconnaissance

Once inside an account, attackers do not always act immediately. Many conduct reconnaissance first, reading emails and messages to understand the account's value, identify financial relationships, map contact networks, and locate credentials stored in the inbox, such as password reset emails and account confirmation messages.

Step 4: Account Modification

The attacker changes recovery information to lock out the legitimate user. This typically includes changing the recovery email address, updating the phone number used for SMS verification, revoking trusted devices, and adding attacker-controlled backup codes.

Step 5: Exploitation

With the legitimate user locked out and recovery options under attacker control, exploitation begins. This may include financial fraud, impersonating the victim to contacts, accessing linked accounts, exfiltrating sensitive documents, or selling the account credentials on underground markets.

What Does a Real Password Theft and Recovery Case Look Like?

In 2022, the Federal Trade Commission documented a widespread credential theft campaign targeting Gmail and Microsoft 365 accounts via adversary-in-the-middle (AiTM) phishing pages. Victims received emails appearing to be from their employers or financial institutions, directing them to landing pages that captured both credentials and live MFA codes.

Attackers used the captured session tokens to log into accounts even when MFA was enabled, bypassing the second factor entirely. Once inside, they forwarded inbox rules to external addresses, accessed cloud storage, and in several cases used the compromised email accounts to initiate unauthorized wire transfers to external bank accounts.

The FTC noted that the victims who responded fastest, specifically those who revoked active sessions and changed credentials within 15 minutes of detecting suspicious activity, were significantly more likely to contain the breach before financial loss occurred.

This case illustrates three critical lessons. First, MFA based on SMS codes or app-generated codes does not protect against AiTM attacks, because the attacker captures the MFA code in real time. Second, session revocation is a separate and required step from password change. Third, speed of response is the primary determinant of outcome.

How Do You Know If Your Password Has Been Compromised?

Use this checklist to detect signs of an account takeover:

Login and access signals:

  • You receive a login notification from an unfamiliar location, IP address, or device
  • Your password no longer works on an account you have not changed
  • You are unexpectedly logged out of active sessions across multiple devices
  • You receive a password reset email you did not request
  • Your account shows the last login from a time when you were not active

Account modification signals:

  • Your recovery email address or phone number has been changed
  • Trusted devices have been added or removed without your action
  • Two-factor authentication has been disabled or modified
  • Email forwarding rules have been created to an external address
  • Sent items contain messages you did not write

Downstream signals:

  • Contacts report receiving unusual messages from your account
  • You receive a subscription bombing wave of newsletter emails, which may be designed to bury a fraud confirmation in your inbox
  • Financial accounts linked to your email show unusual activity
  • You receive alerts from linked services about password changes or new logins

Verification tools:

  • Check haveibeenpwned.com to see if your email appears in known breach databases
  • Review active sessions in the security settings of Google, Microsoft, Apple, or any major platform
  • Check Google's Security Checkup at myaccount.google.com/security for active third-party app permissions

What Are the Steps to Recover a Hacked Password and Secure Your Account?

Step 1: Act from a Clean Device

Before you do anything, verify that the device you are using to initiate recovery is not itself compromised. If you suspect the device you normally use has malware, use a different device. Do not attempt password recovery on a device you do not trust.

Step 2: Use the Platform's Account Recovery Process

Go directly to the platform's website by typing the URL. Do not click links from emails. Use the "Forgot password" or "Account recovery" function. Verify your identity using a method the attacker does not control, which typically means using a backup code, a verified phone number, or a trusted device that was registered before the compromise.

If the attacker has already changed your recovery information, use the platform's identity verification process. Google, Microsoft, and Apple all have account recovery procedures that use additional identity signals such as previous login history, device history, and account creation details.

Step 3: Revoke All Active Sessions

After regaining access, immediately revoke all active sessions. Every major platform has a security settings page that shows active logins. Sign out all other sessions before changing your password. This terminates the attacker's current access even if they have not yet changed the password themselves.

Google: myaccount.google.com/security, scroll to "Your devices" Microsoft: account.microsoft.com/devices Apple: Settings, your Apple ID, scroll to active devices

Step 4: Change Your Password

Create a new password using the NIST guidelines published in Special Publication 800-63B. NIST recommends passwords of at least 15 characters, discourages forced periodic rotation without cause, and recommends checking new passwords against known compromised password lists. Use a passphrase rather than a complex but short password.

Do not reuse any part of a previous password. Do not use the same new password across multiple accounts.

Step 5: Enable or Upgrade Multi-Factor Authentication

If MFA was not enabled, enable it now. If SMS-based MFA was being used, upgrade to an authenticator app (such as Google Authenticator or Authy) or a hardware security key (such as a YubiKey). NIST 800-63B recommends against SMS-based authentication for high-value accounts due to SIM-swapping vulnerabilities.

For accounts with access to financial data, health information, or organizational systems, a hardware security key represents the strongest available consumer-grade protection.

Step 6: Check and Revoke Third-Party App Permissions

Attackers frequently grant themselves persistent access through OAuth applications that survive a password change. Review all third-party applications connected to the compromised account and revoke access to any application you do not recognize.

Google: myaccount.google.com/permissions Microsoft: account.microsoft.com/privacy/app-access

Step 7: Audit Email Rules and Forwarding

Check your email settings for forwarding rules, filters, and auto-forward rules that may be sending copies of your email to an external address. Delete any you did not create. This is one of the most frequently overlooked steps in account recovery.

Step 8: Change Passwords on All Accounts That Share the Same Credentials

Any account using the same password as the compromised account must be treated as compromised. Change each password individually to a unique credential. Use a password manager to generate and store unique passwords for every account.

Step 9: Notify Affected Parties

If your email account was used to send phishing messages or fraudulent communications to your contacts, notify them directly through a separate channel. If organizational accounts were involved, notify your IT or security team immediately.

If financial fraud occurred, file a report at the FTC's IdentityTheft.gov and contact your financial institutions using the numbers on your account statements, not numbers from emails.

What Should You Do in the First 24 Hours After a Password Is Hacked?

The first 24 hours after discovering an account compromise are the most important for limiting damage. Here is the recommended incident response sequence.

0 to 15 minutes: Containment Switch to a trusted, clean device. Navigate directly to the compromised platform. Initiate account recovery. Revoke all active sessions immediately. Do not wait to change the password first. Session revocation is the most time-critical action because it terminates active attacker access regardless of whether they know the current password.

15 to 60 minutes: Credential remediation Change the password using a strong, unique passphrase. Enable or upgrade MFA. Update recovery email and phone to credentials under your control. Revoke all third-party app access. Delete unauthorized forwarding rules.

1 to 4 hours: Scope assessment Review your inbox for sent messages you did not write. Check all linked accounts, particularly financial services, cloud storage, and organizational platforms. Change passwords on all accounts sharing the same or similar credentials. Check haveibeenpwned.com for your email address.

4 to 24 hours: Reporting and monitoring If financial fraud occurred, contact your bank's fraud line and file a report at IdentityTheft.gov. If organizational systems were involved, escalate to your security team and follow your organization's incident response plan. Enable login notifications on all accounts. Monitor for unusual activity across all linked services for the next 30 days.

Frequently Asked Questions About Password Recovery After Being Hacked

Can changing your password stop a hacker who already has access?

Not on its own. If the attacker has an active session token, changing the password does not invalidate the current session on most platforms. You must revoke active sessions before or immediately after changing your password. Additionally, if the attacker has granted themselves access through a third-party OAuth application, that access persists even after a password change unless you explicitly revoke the application's permissions.

What if the hacker changed your recovery email and phone number?

Most major platforms provide an account recovery process specifically for this scenario. Google, Microsoft, and Apple use a combination of previous login history, device recognition, and knowledge-based verification to restore access to users who have been locked out after a takeover. The process typically takes one to three business days. You will need to provide as many identity signals as possible, including the original recovery email address, billing information associated with the account, and the approximate date the account was created.

Does multi-factor authentication prevent all account takeovers?

No. Standard MFA based on SMS codes or time-based one-time passwords (TOTP) does not protect against adversary-in-the-middle (AiTM) phishing attacks, which capture the MFA code in real time along with the password. FIDO2-compliant hardware security keys are the only consumer-grade authentication method that is resistant to AiTM phishing because the cryptographic response is domain-bound and cannot be replayed on a different site.

How do hackers get into accounts that use strong passwords?

Strong passwords protect against brute-force attacks and credential stuffing, but most successful account takeovers do not involve guessing the password. They involve stealing it through phishing, harvesting it from a data breach at another service where the same password was used, or capturing it through malware on the victim's device. A strong password that has been reused across multiple services offers significantly less protection than a unique but shorter password on each individual account.

How long does it take to fully recover from a hacked account?

Immediate containment can be achieved within 15 to 60 minutes if the attacker has not yet changed recovery information. Full remediation, including changing all shared passwords, revoking third-party access, auditing linked accounts, and implementing upgraded authentication, typically takes four to eight hours of active work. Monitoring for ongoing effects, such as fraudulent accounts opened in your name using stolen information, may be required for 30 to 90 days following the incident.

Executive Summary: TL;DR

A hacked password requires more than a password reset. The recovery process must include revoking active sessions, auditing third-party app permissions, checking for email forwarding rules, and changing credentials on all accounts that shared the same password.

The most time-critical action is session revocation, not password change. An attacker with an active session can maintain access even after the password is changed.

Stolen credentials were involved in 31 percent of all breaches in 2024 (Verizon DBIR). The average time from credential theft to lateral movement is under two hours (CrowdStrike 2024 Global Threat Report).

NIST recommends passwords of at least 15 characters, checking new passwords against compromised credential lists, and using FIDO2-compliant hardware security keys for high-value accounts.

If financial fraud occurred, report at IdentityTheft.gov and contact your bank's fraud line using the number on your card, not a number from any email.

Ṣọ Mail analyzes authentication signals on every email the moment you open it, including spoofed sender domains, DKIM failures, and redirect chains used by credential-harvesting phishing pages. All analysis runs on your device. Zero data is stored externally.

Sources: FBI IC3 2023 Internet Crime Report; Verizon 2024 Data Breach Investigations Report; NIST Special Publication 800-63B; CISA Account Compromise Advisory; CrowdStrike 2024 Global Threat Report; FTC IdentityTheft.gov; SpyCloud 2024 Annual Identity Exposure Report; Google Security Checkup; haveibeenpwned.com

iOS: apps.apple.com/us/app/so-mail/id6756896070 Android: play.google.com/store/apps/details?id=com.app.somail

We earn revenue from subscriptions, never from your data.