Recover a Hacked Gmail Account (Even If You've Lost the Phone and Recovery Email)

Locked out of a hacked Gmail? Recover it from a familiar device even after the hacker changed your password and recovery info, then lock it down.
Image: a padlock on a laptop keyboard · rawpixel · CC0 (public domain) · source
Quick answer: Go to g.co/recover and start Google's account recovery, ideally from a phone or computer you have signed in on before, on your usual network. Answer as many verification prompts as you can, even the ones you are unsure about. A familiar device and persistence are what get most people back in, even after a hacker has changed the password and recovery details.
Your Gmail is the master key to your digital life. It resets your bank, your social media, your shopping. So losing it to a hacker feels like losing everything, especially when they have swapped out your recovery phone and email so Google's normal "text me a code" route is gone. It is still recoverable. Here is how, and what to lock down the moment you are back in.
Start the recovery the right way
- Use a familiar device. Open g.co/recover on a phone or computer where you were previously signed in, on your home Wi-Fi if possible. Google trusts these signals and is far more likely to verify you.
- Enter your email and try a real password. When asked, type the most recent password you remember, even an old one. It helps prove the account is yours.
- Work through every prompt. Google may ask for a recovery email or phone, your account creation date, or a code. Answer everything you can, and choose "Try another way" to reach more options rather than giving up.
- Be patient and persistent. If it fails, wait and try again from the same familiar device. Repeated attempts from a recognised device improve your odds. Do not create a new account, that abandons the old one.
If the hacker changed your recovery phone and email
This is the common and frightening case, and recovery still works because Google weighs many signals, not just the current recovery contacts. Keep using a device and location you have used before, enter previous passwords, and complete the recovery form as fully as you can. If Google needs time to review, it may ask you to wait before restoring access; its own guidance says a security hold can last anywhere from a few hours to 30 days, so do not panic if it is not instant. It is also worth checking the email address you originally registered, as Google may notify you there.
Once you are back in, lock it down fast
Regaining access is only half the job. A hacker usually leaves back doors, so in the first few minutes:
- Change your password to something long and unique you have never used elsewhere.
- Reset your recovery phone and email, removing any that the attacker added. Check these under your Google Account security settings.
- Check Gmail forwarding, filters and delegation. In Gmail settings, open "Forwarding and POP/IMAP" (or simply "Forwarding" on some accounts) and remove any forwarding address you did not add; open "Filters and Blocked Addresses" and delete any rule that auto-forwards or deletes your mail; and under "Accounts and Import" remove any mail delegation that grants someone else access to your inbox. This is how attackers keep reading your reset codes.
- Sign out everywhere. In your account's security section, review "Your devices" and sign out any you do not recognise.
- Turn on 2-Step Verification or a passkey, so a stolen password alone is no longer enough.
- Review third-party access. Remove any apps or connected accounts you do not recognise, and run Google's Security Checkup.
If recovery still fails
Keep trying from a familiar device over several days, as the signals Google uses can shift. There is no phone hotline for personal Google accounts, so be wary of any website or "support agent" that offers to recover your account for a fee, that is a second scam. If the account held critical access, focus on securing everything it could reset: change the passwords on your bank, and on any account that used that Gmail for recovery, from a clean device.
Frequently asked questions
Can I recover Gmail without the recovery phone or email? Often yes. Use a device and browser you have signed in on before, enter old passwords, and complete every verification step. Google weighs many signals beyond the recovery contacts.
The hacker changed my password. What now? Go straight to g.co/recover and follow the prompts from a familiar device. Do not create a new account.
How long does recovery take? Sometimes minutes. If Google places a security hold to review your request, its guidance says that can last anywhere from a few hours to 30 days.
What is the first thing to check after I get back in? Email forwarding and filters. Attackers set these to keep receiving your password-reset codes even after you change your password.
Should I pay a service to recover my account? No. Google has no paid recovery, and no phone support for personal accounts. Anyone charging a fee is running a scam.
Related: recover a hacked Instagram or Facebook account and recover a hacked WhatsApp account.
If an account of yours has been hijacked, you are not alone. See our cybercrime help hub for step-by-step reporting and recovery guides.