First, ask yourself these two questions:
1) Am I 100% sure I have not forgotten my password?
2) What makes me think I have been hacked?
Some typical signs include:
Blocked access— You can no longer access your account as your password is different, your recovery methods changed, or you do not receive any verification codes.
Security email from Google— You have received an email from [email protected] with a security alert, such as a change in your recovery email address or phone number. The email will contain a link that will enable you to "Check your activity."
Unusual login activity— In your account settings under the Security tab, there are two ways you can review your activity.
Recent security activity. This will provide a description of the security activity or alert, as well as the device used, the timestamp, and the location.
Your devices > Manage devices. This feature will list the types of devices you are signed into, as well as dates and locations. Under More details you will find the first sign-in date, the IP address, and the browsers you are signed in to on that device.
Suspicious behavior— Any odd emails in your Sent, Trash, or Draft folders that you do not recognize can indicate compromise. Your friends and family may also claim to receive a lot of spam from you. Additionally, some emails may be marked as 'read' in your inbox even though you have never opened them.
If you have been hacked but can still access your Google account, immediately:
Change your account password. Make it strong and unique, and do not share it with anyone. It should be changed every 6 months, and can be stored in a password manager.
From your computer: Open your Google account settings and go to Security>Signing in to Google>Password. You might need to sign in first, and then you can select a new password. You can also click here to change the password.
From your iOS device (iPhone/iPad): You can either go to myaccount.google.com or open the Gmail app, tap your initial or profile picture at the top right, and go to Manage your Google Account. Tap on Personal info>Basic info>Password. You may then enter your new password and select Change Password.
Enable two-factor authentication (2FA). You can do this directly from your account settings under Security>Signing in to Google>2-Step Verification. You will be able to choose the backup step of your choice, and can add more than one in order to give yourself more flexibility:
Verification codes via voice or text message
Backup codes
Google Prompt
Authenticator app
Backup phone
Security key
💡 Tip: If you already have 2FA activated but you selected verification codes via voice or text message, you should switch the delivery method to a third-party authentication app instead as the hacker can intercept the code sent to your phone. However, if you use the authenticator app method and lose your phone, you will need to have access to your backup codes or else you will be unable to enter your account.
If you have been hacked and can no longer access your Google account:
Start the Google Account Recovery process. Go to the Google login page and select "Forgot your password?" Then, depending on which recovery method you enabled, you will be asked to enter
the last password you remember
a verification code sent to your recovery email
a verification code sent by SMS to your phone
Using a device and an IP address which are familiar to Google will speed up the process.
Once you have successfully provided the required information above, you will be able to enter a new email address and further communicate with Google until you regain access to your account.
If you do not know your last password and/or verification code(s), Google will keep prompting you to "Try Again" until you either supply them or decide to create a new account.
Things to keep in mind with Google:
You need to add as many recovery methods as possible, since this will give you the best chance at regaining access to your account in the event of a hack. Although Google will not force you to put one in place, it is vital that you do so.
If you do not remember your last password, and cannot get a verification code via email or phone during the Account Recovery process, you will need to create a new Google account.
2FA secures your account login, not your account recovery. It is designed to be an extra barrier of security against a hacker trying to enter your account with your password—it does not help you access your account if the hacker has already changed your password. In other words, 2FA prevents the initial account loss but does not help recover it.