What To Do If Your Gmail Sent Spam to All Your Contacts

You wake up. You check your phone. You have 14 messages from confused friends and angry coworkers.
"Did you just send me a weird link?"
"Your email looks hacked."
"What is this sketchy attachment?"

Your heart sinks. You open your Sent folder. There they are. Dozens of emails you never wrote. All sent to everyone you know.

What to do if your Gmail sent spam to all your contacts is a nightmare scenario. But it happens thousands of times every day.
The good news? You can fix this. You can recover your account. You can prevent it from happening again.
Follow these 7 steps immediately.

Why Did This Happen?

Before the fix, understand the cause.
Your Gmail did not send spam by itself. An attacker gained access to your account. They used it to send malicious emails to your contacts.

Common entry points:
1. You reused a password that leaked in another data breach
2. You clicked a phishing link and entered your credentials
3. Your computer has malware that stole your session cookie
4. You approved a malicious third-party app

The attacker may still be in your account. Every minute you wait, more contacts receive spam.
Let us fix that right now.

Step 1: Change Your Password Immediately
This is your first and most critical action.

How to change your Gmail password:
1. Go to myaccount.google.com
2. Click Security in the left sidebar
3. Click Password under "Signing in to Google"
4. Enter your current password
5. Choose a new strong password (minimum of 12 characters, combination of letters, numbers and symbols)
6. Click Change Password

Important Note: 
Don’t use a previous password for your accounts. Also don’t create simple versions or variations to any previous passwords. Use a password manager to create and save you a unique new password.

Step 2: Sign all other devices out
Changing your password does not remove an attacker’s access to your account. You will need to force them out. 

Steps to sign out of all devices:
1. Go to myaccount.google.com 
2. Click Security 
3. Scroll to your devices
4. Click on Manage all devices 
5. Review the list of devices 
6. Click on all devices that you do not recognize 
7. Click Sign Out 
8. Repeat for all devices you suspect to be unknown 
9. Click Sign Out All Other Devices at the bottom.

The most important things to look for when doing so are as follows:
1. Devices located in countries the user has never visited before.
2. Devices that have unfamiliar names associated with them.
3. Devices that show signs of recent activity while the user was asleep.

Step 3: Deleting any recovery options which are unusual.
If an attacker has compromised your account, they can create their own recovery method (an email address or phone number) which allows them to regain access to your account after you've changed your password. 

To find and eliminate any suspicious recovery methods, follow these steps:
1. Go to myaccount.google.com.
2. Click on the "Security" in the left hand side menu.
3. Go all the way down to the section labeled "Ways to Verify It's You" and select "Recovery Email".
4. Remove any recovery email addresses that do not belong to you.
5. Now select "Recovery Phone".
6. Remove any recovery phone numbers that do not belong to you.
7. Create any recovery method from scratch if required.

Step 4: Check for Unwanted Forwarding Rules  
Many clever attackers will create forwarding rules to have copies of every email you receive and send.

Here's how to check for forwarding rules:
1. Sign in to Gmail using your web browser on a computer
2. Click the Settings button (located at the top right of your screen)
3. Click See All Settings
4. Click Forwarding and POP/IMAP
5. Look for any email address listed under "Forwarding Address" that you have not added yourself
6. If you see one, click Remove, then Save Changes

Next, check your filters as well:
1. In the Gmail Settings menu, select Filters and Blocked Addresses.
2. Look for filters that:
a) Forward a large number of emails to another email address regularly,
b) Automatically delete emails, and
c) Mark emails read immediately.
3. You must delete any filters you did not create.

Step 5: Deny Access to Malicious Third Party Applications
Attackers will take advantage of the "Sign in with Google" option to take advantage of malicious applications that retain access even after you are able to change your password.

How to revoke app access:
1. login to myaccount.google.com
2. Select Security in the Side Bar
3. Select “Third-party apps with access to this account” (Or it should say your Connections)
4. Review every App within the list
5. Remove any apps that you do not recognize or no longer use
6. Pay special attention to apps with permissions like:
a) “Read, send, delete and manage email”
b) “Manage your contacts”
c) “Full Account Access”

Step 6: Run a Security Checkup
Google provides a built-in security scanner. Run it now.

How to run Security Checkup:
1. Go to myaccount.google.com
2. Click Security
3. Click "Security Checkup" at the top
4. Follow the prompts to review:
a) Your devices
b) Recent security events
c) Third-party access
d) Recovery information
e) Gmail settings
Fix every warning you see.

Step 7: Scan Your Computer for Malware
Sometimes the attacker did not steal your password. They stole your browser session cookie. A password change alone will not stop them.

On Windows:
1. Run Windows Security (built-in)
2. Click Virus & threat protection
3. Click Quick scan
4. Then run Microsoft Safety Scanner for a deeper scan

On Mac:
1. Use Malwarebytes for Mac (free version is fine)
2. Run a full system scan

On any device:
1. Clear your browser cookies and cache
2. Remove unfamiliar browser extensions
3. Update your browser to the latest version

What To Do After Securing Your Account

You have stopped the attack. Now you need to clean up the damage.
Send an Apology to Your Contacts
Your contacts received spam from you. They may be worried or annoyed. Send a brief, honest apology.

Check Your Sent Folder for Damage
Review your Sent folder. Count how many people received the spam. Make a list. You may need to follow up with specific individuals.

Warn Your Contacts Individually
For important contacts (boss, clients, family), send a separate message. Explain what happened. Ask them to ignore the spam.

Enable 2-Step Verification (Critical)
This is the single most important protection you can add.

Steps to Enable Two-Step Verification
1. Login to your account at myaccount.google.com > select Security
2. Click on the "2-Step Verification" link in the left column
3. Click the "Get started" button
4. Configure the method of verification by selecting either a phone number or an authenticating application (Google Authenticator or Authy)

This will help prevent even if someone steals your username and password from signing into your account without having access to your phone at the time of log in.

How to Prevent This From Happening Again

You have solved what to do if your Gmail sent spam to all your contacts. Now prevent the sequel.
Do Not Reuse Passwords: Every account needs a unique password. Use a password manager (Bitwarden, 1Password, or Apple/Google built-in).

Never Click Phishing Links: Check the sender's email address before clicking. Hover over links to see the real destination. Do not enter your Google password on any page except accounts.google.com.

Review Account Activity Weekly: Check myaccount.google.com > Security > Recent security activity once a week. Look for unrecognized logins.

Keep Software Updated: Outdated browsers and operating systems have known vulnerabilities. Turn on automatic updates.

What Not To Do (Common Mistakes): Do not panic-delete your entire Google account. You will lose years of emails and contacts.
Do not pay anyone who emails you demanding money to "fix" your account. That is a secondary scam.
Do not ignore the problem hoping it goes away. Attackers stay in accounts for months.

Real Example: What A Compromised Account Looks Like

Here is a real example of a spam email sent from a hacked Gmail account:
From: your.name@gmail.com
Subject: Hey
Body:
"Check out this document I made for you
[malicious shortened link]"
The email has no personalization. It uses a generic greeting. The link goes to a fake Google login page or a malware download.
If your contacts received something similar, your account was compromised.

Actionable Checklist

1. Changed my Google password immediately
2. Signed out all other devices
3. Removed unfamiliar recovery email/phone
4. Checked and removed malicious forwarding rules
5. Checked and removed suspicious email filters
6. Revoked unrecognized third-party app access
7. Ran Google Security Checkup
8. Scanned my computer for malware
9. Enabled 2-Step Verification
10. Sent apology email to my contacts
11. Saved backup codes in a safe place

Conclusion

What to do if your Gmail sent spam to all your contacts is stressful. But it is solvable.
Attackers target Gmail accounts every day. They count on you panicking or giving up. Do not let them win.
Change your password. Sign out all devices. Remove forwarding rules. Enable 2FA. Send an apology. Then move on with your life.
Your account is now more secure than before the attack. And you will never ignore Gmail security again.

FAQ Section

Q1: How did my Gmail send spam without me knowing?
Attackers can log into your account from their own device, use an authorized app, or install a forwarding rule. They send spam from your account and then delete the sent emails to hide evidence. Check your "All Mail" folder if "Sent" looks empty.

Q2: Can I recover my Gmail if I cannot log in?
Yes. Go to accounts.google.com/signin/recovery. Use your recovery email or phone number. Follow Google's account recovery process. If you never set recovery options, this will be much harder. Contact Google support as a last resort.

Q3: Should I delete my Gmail account after being hacked?
No. Deleting your account does not remove the spam already sent. It also locks you out of all Google services. Securing your existing account is always better than deletion.

Q4: Does Google send me an alert if my account sends out spam? 
Some times. Google might send a Security Alert via email or give you a notice (a Warning Banner) in Gmail. Some sophisticated hackers will delete these messages so you will not see them. Don't depend on Google to notify you. You should check your Sent folder every day.

Q5: How long does it take to fully secure a hacked Gmail?
The urgent steps (password change, sign out devices, remove forwarding) take 10 minutes. Full security (2FA, backup codes, malware scan, apology emails) takes 30–60 minutes. Do not delay. Every hour the attacker stays in your account causes more damage.