Your Google account powers Gmail, Drive, YouTube and Android recovery. If it is compromised, attackers can reset passwords across many services. In 2026, the best approach is to harden security settings in a specific order.
π Table of Contents
π§ Security priorities: do these first
- Secure your recovery: email, phone and backup options.
- Enable 2FA or passkeys for the Google login.
- Review sessions/devices and remove anything unknown.
Warning: attackers often keep access by changing recovery settings right after a takeover. Review them even if your password was βchangedβ.
π Use a strong password and verify it
Use a unique long password stored in a password manager. If you want to verify exposure, use our tools: Email Leak and Check Password.
π Enable 2FA (and backup codes)
- Turn on 2FA in your Google account security settings.
- Save backup codes.
- Prefer authenticator apps where available.
Guide: Two-Factor Authentication (2FA) guide.
π¬ Passkeys: add them safely
Passkeys can reduce password theft risk by using device-bound authentication. Add them gradually and keep recovery options secure.
Learn more: Passkeys in 2026.
𧩠Harden recovery options
- Check recovery phone numbers and email addresses.
- Review backup methods and ensure they are not attacker-controlled.
- Enable security alerts and sign-in notifications.
βοΈ Privacy settings and device controls
- Check privacy controls for Gmail and web activity.
- Review data sharing and advertising preferences.
- Limit what apps can access on Android.
If you want privacy cleanup steps: How to Remove Your Digital Footprint Online.
π± Review devices and activity
- Sign out from unknown sessions.
- Remove devices you do not recognize.
- Monitor suspicious activity and take immediate action.
β‘ Make your recovery path resilient
Hardening Google security means fewer account takeovers across the whole internet.
π§ Secure Email