Identify and secure compromised accounts

As an administrator, if you suspect an account may be compromised, you can use this checklist to ensure that your users' accounts are secure (for example, compromised or hijacked accounts). Work with affected users to complete the end-user Gmail security checklist.

Follow these security steps

Step 1. Temporarily suspend the suspected compromised user account
  1. Suspend a user to prevent unauthorized access.

    Note: Suspending a user resets the user's sign-in cookies and OAuth tokens.

  2. Investigate the potentially unauthorized activity and restore the account. You might also consider enrolling the domain in 2-step verification (2SV).
  3. Ask the affected user to review their recovery address and complete the Gmail security checklist.
Step 2. Investigate the account for unauthorized activity
  1. If the compromised user is an administrator, review the Admin audit logs for any configuration changes the user has recently made. Skip this step if it doesn't apply.
  2. Review mobile devices associated with the affected account and wipe any suspicious devices.
  3. Investigate the potentially unauthorized activity:
    1. Use the User log events in the Admin console to view a complete list of successful and unsuccessful web-based sign-ins in your domain for up to 6 months. Suspicious sign-ins are flagged with a warning icon. You can also retrieve the sign-ins for domain accounts via the Reports API.
    2. Use the Email log search to review delivery logs for your domains and evaluate message transit to and from the possibly compromised accounts. If the account is managed by Vault, you can use the Email log search to review email activity.
      Note: If your users upgrade to an edition that includes Vault, they can recover permanently deleted emails or docs.
    3. Use the Security report to evaluate the exposure of the domain to data security risks. You should review these reports:
      • Oauth log events
      • Groups log events
      • Drive log events 

        Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusEssentials Starter, Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Business.  Compare your edition

      • Calendar log events
    4. Verify if any malicious settings were created. You can retrieve user account settings (such as forwarding settings) through the Gmail API. If you suspect a account was used as part of this compromise, please report it.
Step 3. Revoke access to the affected account
  1. Follow the steps in Reset a user's password.
  2. Revoke OAuth 2.0 tokens for the user. 
  3. Some applications that use the OAuth 2.0 authentication method will stop accessing data after you reset a user's password. The user must sign in with their account name and new password to receive a new OAuth 2.0 token.
  4. Remove App passwords that the user created.
Step 4. Return access to the user again
  1. Unsuspend the account.
  2. Let users know their new temporary passwords and ask them to set new, unique passwords (no passwords used with any other websites or applications).
  3. Enable 2-step verification for the domain, and enroll users with security keys (recommended over 2SV codes).
  4. Work with users to complete the end-user Gmail security checklist. For example, ensure that all your end-user filters and forwarding options are configured appropriately.
    1. Update your account recovery options.
    2. Check your account for unusual activity.
    3. Check for missing or suspicious messages.
    4. Check your contacts for errors.
    5. Check your Gmail settings.  

Take additional security steps 

We recommend that you take these additional steps to ensure the security of your users' accounts.

Step 1. Enroll in 2-step verification with security keys

Enrolling in 2-step verification adds an extra layer of security to your users' accounts. It requires users to enter a verification code in addition to their username and password when signing in to their accounts. See Add 2-step verification for details. We recommend using security keys over 2SV security codes for better protection against phishing.

Step 2. Add, secure, or update recovery options

See Add recovery options to your administrator account for instructions on adding secondary email addresses and phone numbers. We recommend to secure secondary email addresses by changing the passwords or update the secondary email to a new address.

Step 3. Enable account activity alerts

As an administrator, you can choose to receive account activity alerts when important events occur, such as potentially suspicious sign-ins or service setting changes by other administrators.

See Google's Safety Center for general recommendations on keeping your account secure.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu