As posted on How can I stop someone else from using my Gmail account?
I think someone I know has hacked my Gmail account. What should I do? Valeria
This is a relatively common question. Other recent examples include “Someone is using my Gmail account to steal my data on a game. How do I get rid of him?” from Rodimus Ghost, and “My daughter is using my Gmail account. How do I stop her?” I don’t recall getting these queries about other email services.
My usual response is: “How do you know?”
There might be emails in the Sent Mail folder that you didn’t write, though hackers can cover their tracks by deleting copies of sent emails. However, incoming emails are not an indicator. I’ve had emails from Instagram, GoCompare, Barclaycard Business, Apple, Prattville YMCA and many other organisations where people have entered my Gmail address, probably by mistake. It doesn’t mean they have accessed my account.
The best way to tell if someone else has used our account is to scroll down the Gmail inbox and look for “Last account activity” in the bottom right. Clicking on Details produces a nice table that shows how someone accessed the account (browser, mobile, POP3 etc), their IP address, and the date and time. You should recognise any sessions that aren’t yours.
In fact, Gmail will, by default, notify you of any unusual activity. You may get an alert if you log on with a new device or from a different country. These alerts can be annoying but they increase your security. Don’t turn them off.
You can also check the Recently used devices page, which lists all the PCs, phones and tablets used in the previous 28 days. Again, it should be obvious if any of them are not yours.
There are simple ways to read someone else’s emails without leaving obvious traces. These are controlled from Gmail’s Settings, which you can find by clicking the cogwheel in the top right.
On the Settings page, click Accounts and Import and go to the penultimate entry: “Grant access to your account”. Someone could click “Add an email account”, enter another Gmail address, and access your emails from that account. They can keep these emails marked as Unread even if they’ve read them.
Next, click Forwarding and POP/IMAP and review the top section on mail forwarding.
Email services allow users to forward all incoming emails to another email address, and I think everyone should do this. I have Gmail forward all my emails to my account at Microsoft’s Outlook.com. As a result, I can still read and reply to emails even if Gmail is inaccessible. Further, if Gmail locked me out, I’d still have copies of emails going back to April 2004.
Locked out of your account? All might not be lost. Photograph: Graham Turner for the Guardian
So, if you can access someone’s mailbox, you can set up mail forwarding to an address that you control, and they’ll probably never notice. Make sure nobody has done that to you.
If you only read Gmail in a web browser, you could also disable the POP and IMAP access features. This would provide a small increase in security, but I don’t recommend it. In fact, there are advantages to using a PC email program such as Microsoft Outlook, Thunderbird or eM Client to collect Gmail using the IMAP protocol. These programs have more features than the web version of Gmail, and they store emails on your PC so that you can easily access them offline. IMAP leaves the original emails online, so you can still access them using different devices. (Yes, you can also install “Gmail Offline” via the Offline tab.)
Remember to save any changes before switching tabs.
Once you are sure your mailbox is not being hacked, change your password to keep other people out.
In Gmail, go back to Accounts and Import and click “Change password”.
Choose a strong password or passphrase that includes numbers and upper-case characters. Gmail requires at least eight characters, but aim for 12 or 16 or even more. Longer is better. It won’t be random, unless you use a password manager, but avoid family names, names of pets, birthdays, sports teams and other obvious elements.
For convenience, your browser or email program can remember your password. If you allow this, your email is only as secure as your PC. Anyone who can access your PC can access your email.
Nowadays, of course, the simplest way to hack someone’s email is to use a phishing attack. In this case, someone sends you a link in an email that pretends to come from Google. Clicking the link opens a browser tab where “Google” asks you to log in with your email address and password. The attacker harvests the results.
If you’re going to leave your PC unattended or fall for a phishing attack, it doesn’t matter how strong your password is.
Do the two-step
If someone can access your Gmail account, they can change your password and lock you out. You can prevent this by using “two-step verification”. With Gmail, this usually means Google will text a code to your mobile phone. This is fine until you don’t have a signal or lose your phone. Gmail therefore asks for a back-up phone number. (Landlines work: you get a voice message.) Gmail also allows you to print out a small set of verification numbers that you can use when travelling.
Google’s two-step notification on Android Photograph: Samuel Gibbs for the Guardian
Google provides an alternative to SMS in the form of Google Authenticator, a free app for Google Android devices and Apple iPhones and iPads.
You can also simplify two-step verification slightly by using “application specific passwords”. For example, if you access Gmail via a smartphone app or an email client that can’t handle two-step verification, you can request a separate password for each email program on each device. It only has to be entered once.
To use these extra security features in Gmail, go to Accounts and Import, click “Other Google Account settings” and then “Sign-in & security”. This provides access to password changes, two-step verification, and account recovery options.
What if your password stops working and you can’t get into Gmail? The traditional approach to account recovery is to ask for some personal information, such as your mother’s maiden name. This enabled people to hack email accounts by using information gleaned from social media accounts. You can prevent this by using random letters or something obscurely incorrect – “Mother’s maiden name: Quetzalcoatl” – but then you have to remember the answers.
Google’s recovery options include a phone number, another email address and a security question. It also likes to ask when the account was opened and when you last used it.
You may be able to find out when you created your Gmail account by searching for (in my case) before: 2004/04/15, or any date in YYYY/MM/DD order. That won’t work if you deleted your welcome message, but vary the date to find the oldest message you can.
Account recovery is the only way to get your Gmail back if you forget your password or a hacker changes it. But it doesn’t always work, and you may be told that “You weren’t signed in because Google couldn’t confirm that email@example.com belongs to you.”
Then – as another reader, Paul, found earlier this year – you end up in a “failed online recovery loop. No contact centre. No online chat. No contact details at all.” It looks as if there’s nothing you can do except open a new account, change all your online passwords and email addresses, and hope nothing bad happens.
Have you got a question? Email it to Ask.Jack@theguardian.com