Hackers are stealing your personal information using this password hack — here’s how to protect yourself

You’re checking your inbox or scrolling through your phone when something catches your attention. It’s a message about a password reset, but you never asked for one. 

It might have arrived by email, text message or even through an authenticator app. It looks legitimate, and it could be from a service you actually use. Still, something feels off.

Unrequested password reset messages are often an early warning sign that someone may be trying to access your account. In some cases, the alert is real. In others, it’s a fake message designed to trick you into clicking a malicious link. Either way, it means your personal information may be at risk, and it’s important to act quickly.

Why you’re receiving password reset emails you didn’t request

There are a few reasons this might happen:

• Someone is attempting unauthorized access: Hackers often test stolen credentials from data breaches to see where they still work. If they find an account tied to your email, triggering a password reset is one way they try to gain control.
• You are being targeted through phishing: Scammers send fake password reset emails or texts that look official. These often link to fake websites that steal your login credentials or install malware.
• You are experiencing a credential stuffing attack: This is when attackers use bots to flood login pages with known usernames and passwords. If anything matches, they will try to reset the password and lock you out.
• Your two-factor authentication is blocking the login: If you receive a prompt from your authenticator app but did not attempt to log in, it means someone has your correct password and is trying to break through your second layer of protection.
• You may be facing a SIM swap attempt: SMS-based two-factor authentication is vulnerable if someone hijacks your phone number. If you suddenly stop receiving texts or see password resets tied to SMS, contact your mobile provider immediately.

In some cases, the message is legitimate, as seen in the email below, but the request didn’t come from you. That is often a sign your login details are already in someone else’s hands.

How to identify suspicious password reset attempts

Unsolicited password reset alerts can take several forms, each with signs of potential fraud or hacking:

• Email: Most services will send a password reset link to your inbox. If you didn’t request it, that is a red flag.
• Text message: You might receive a verification code or reset link via SMS. While many companies use text-based verification, scammers also send fake messages that mimic real ones.
• Authenticator app requests: This is often the clearest sign that someone already has your password. If you get a 2FA prompt you didn’t trigger, someone is trying to log in right now and needs your approval to finish the process.

No matter how the alert appears, the goal is the same. Either someone is trying to trick you into handing over your credentials, or they already have your password and are trying to finish the job.

What to do if you receive an unrequested password reset

If you receive a password reset alert you didn’t request, treat it as a warning. Whether the message is legitimate or not, acting quickly can help prevent unauthorized access and stop an attack in progress. Here are the steps you should take right away.

1. Don’t click on anything in the message: If the alert came through email or text, avoid clicking any links. Instead, go directly to the official site or app to check your account. If the request was real, there will usually be a notification inside your account.

2. Check for suspicious login activity: Most accounts have a way to view your recent logins. Look for suspicious activity like unfamiliar devices, strange locations or logins you don’t recognize. A login from a location you have never been to could be a sign of a breach.

• Google accounts: Go to myaccount.google.com and open the Security tab to see recent devices and activity
• Apple ID: On your iPhone, iPad or Mac, open Settings (or System Settings on Mac), tap your name at the top, scroll down to view your list of signed-in devices and tap any unfamiliar one to select Remove from Account.
• Microsoft accounts: Visit account.microsoft.com, sign in, then go to Security > Sign-in activity to view recent access attempts
• Banking and social media platforms: Look under your profile or settings for login history or device management

3. Change your password: Even if nothing looks wrong, it’s a good idea to reset your password. Choose one that is long, complex and unique. Avoid reusing passwords across different accounts. Consider using a password manager to generate and store complex passwords.  Get more details about my best expert-reviewed Password Managers of 2025 here.

4. Scan your device for threats: If someone got access to your password, there is a chance your device is compromised. Use strong antivirus software to scan for keyloggers or spyware.

5. Report the incident: If the alert came from a suspicious message, report it. In Gmail, tap the three-dot menu and select Report phishing. For other services, use the official website to flag unauthorized activity. You can also file a report at the FBI’s Internet Crime Complaint Center if you suspect a scam.

Steps you can take to eliminate password reset emails

You can take a few steps to try to reduce the number of emails you receive requesting a password reset.

1. Double-check your username and password. When accessing your account, you may have a typo in your login information. Should you repeatedly attempt to access your account with this error, the company that holds the account may believe a hacking attempt is occurring, triggering an automatic reset. If your web browser automatically populates your username and password for you, make sure this information is free of typos.

2. Remove unauthorized devices. Some accounts maintain a list of devices authorized to use your account. If a hacker manages to gain some of your personal information, it may be able to add one of his devices to your authorized list, triggering account login errors as he tries to hack your password. Check the list of authorized devices and remove any items you don’t recognize. 

The process varies, depending on the type of account. We’ll cover steps for Microsoft, Gmail, Yahoo and AOL.

Microsoft

• Sign in to your Microsoft account at account.microsoft.com.
• Click your profile icon at the top right and select My Microsoft Account.
• Scroll down to find the Devices section and click View all devices.
• You’ll see a list of devices associated with your account. Click Show details for each one to review activity.
• If you see a device you don’t recognize or no longer use, click Remove device.