How to recover your hacked Google account.
Getty Images
Update, August 5, 2025: This story, originally published on August 3, has been updated with further mitigation advice as well as a new report regarding phishing and credential theft trends as Google confirms account hacking spike and issues guidance for attack recovery to impacted users.
Google has confirmed that there has been a massive spike in the number of attacks against Google users, specifically being password-stealing threats delivered by email, which increased by 84% last year — a worrying trend, Google said, that has “only intensified in 2025.” If you need proof of the danger of these infostealer attacks, I could point you to any number of reports, but to be honest, you’ve probably already read them. Far better, then, to point you instead at the advice that Google has issued regarding how to recover your account if it gets hacked.
ForbesTikTok Shop Password Warning Issued As ClickTok Hackers StrikeBy Davey Winder
Help — My Google Account Has Been Hacked
Take a quick peek at the Google online support forums, both official and those on Reddit, and you will soon realize that there is a constant stream of messages from people asking for help to access their hacked accounts.
Examples have included a user who says that a hacker has changed their Google account phone number and recovery email, and when they try to log in, it says their password has been changed. Another says they got a notification about suspicious activity, but by the time they actually checked it was too late, and a hacker had also changed their contact and recovery details. A third complains that the hacker of their account has added a passkey to the account, and every time they try to log in, it requires a QR code to be scanned or a device they don’t have to be used for authentication.
The July 29 Google announcement by Google’s senior director of product management, Andy Wen, confirmed the extent to which this is an issue. “Attackers are intensifying their phishing and credential theft methods, which drive 37% of successful intrusions,” Wen warned. Wen also noted that Google has observed an “exponential rise in cookie and authentication token theft,” being employed by hackers in compromising accounts.
I have covered the steps to take in order to mitigate these attacks in various articles here at Forbes.com, and I suggest you go check them out. But what if the worst happens and you fall victim to a Google account hacker and find yourself locked out of accessing your precious account? The account that, among other things, opens the sensitive data vault that is your Gmail inbox. Don’t panic, Google has got you covered.
ForbesNew VPN Attack Warning — What You Need To KnowBy Davey Winder
If your Google account has been hacked, or you find yourself locked out for whatever reason, there’s a helpful official online guide to recovering access in just a few simple steps.
Point your web browser at g.co/recover and enter your Gmail address. Be sure too use a computer or phone that you’ve used to sign into your account before, and use your usual browser at a location you usually sign in from.
Answer the questions Google asks to the best of your ability. If you can’t remember your password, use a previous one that you can or “take your best guess,” as Google suggests.
You may be sent a security code to your recovery email or phone, authenticator app or a direct prompt on your device. Note, however, that “Google never asks for your password or verification codes over email, phone call, or message,” that will be a hacker.
Reset your password when prompted.
All that said, prevention is still better than cure. The single most effective method of preventing a hacker from taking over your account is to use a more secure form of user credentials than a username and password combo, even when coupled to two-factor authentication. Yes, and I don’t apologize for continuing to hammer this advice home, I’m talking about passkeys.
Passkeys are comprised of two distinct keys, in fact, a public key which is unique and both created and stored on a company server, and a private key stored only on the user’s device. Think of the public key as being the thing that creates a challenge that can then only be correctly solved by the private key. These things make a passkey, and I am almost loath to say it, as there is no such thing as perfect security, almost impossible to be guessed or intercepted by a hacker. The keys are randomly generated and are never shared during the sign-in process. They are, in my never humble opinion, the best thing to happen to credentials security in a very long while.
Google itself gives three reasons as to why this is the case:
Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor.
Signing in with passkeys is as simple as unlocking your device, such as using a PIN or biometrics, such as a fingerprint or facial recognition.
Unlike passwords that are often reused, each passkey is unique and generated for each specific website or service.
Best of all, switching from a password and 2FA to a passkey is easy, painless and quick. So, what are you waiting for?
ForbesFBI Password Alert — Now Hackers Raise Threat From Level 1 To 4By Davey Winder
New Cisco Talos Report Adds Weight To Google Credential-Harvesting Warnings
Phishing has remained the prominent method of initial access for hackers, Lexi DiScola, an information security analyst with the Cisco Talos Intelligence Group, warned in a summary of the latest intelligence analysis report from Cisco Talos. And most of these phishing attacks involved credential harvesting, which adds weight to the warnings from Google about password-stealing threats to users. “The objective of the majority of observed phishing attacks appeared to be credential harvesting,” DiScola said, “suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data.”
The use of legitimate and trusted email accounts is a primary aim of attackers, enabling them to potentially bypass “an organization’s security controls as well as appearing more trustworthy to the recipient,” DiScola warned. In one case cited in the report, victims were directed to a fake Microsoft Office 365 login page requiring a fake 2FA input, “likely so the attacker could steal users’ credentials and session tokens.” All users, not just those of the Google platform, need to be alert to the risk.
ForbesMicrosoft Windows Is Being Hacked If You See These JPEG ImagesBy Davey Winder