I Scanned a QR Code and My Email Got Hacked — What to Do Now
Your email account was compromised after scanning a QR code. Here are the exact recovery steps — in order — to lock the attacker out, undo any damage they may have caused, and protect every other account that relies on your email.
How a QR code leads to a hacked email account
QR codes can't reach into your phone and steal a password. What they can do is send you to a page that looks exactly like Gmail, Outlook, Yahoo Mail, or iCloud — and if you typed your credentials there, the attacker captured them.
There is also a subtler variant: some phishing pages use OAuth spoofing, which requests a permission token from your real email provider. Instead of stealing a password, the attacker gains a persistent session that lets them read your inbox even after you change your password — unless you revoke active sessions.
If you only landed on a page and immediately closed it without entering anything, your email almost certainly was not compromised. The steps below are for people who entered credentials, approved a permission request, or are now seeing evidence of unauthorized access.
Immediate recovery steps — do these in order
Step 1: Change your password right now
Use a different device if possible — one that wasn't used during the scan. Go directly to your email provider's website by typing the address yourself (don't follow a link). Change your password to something long and unique that you haven't used anywhere else.
Step 2: Sign out of all active sessions
In your account's Security settings, find the option to view and end active sessions (Google calls it “Your devices”; Outlook calls it “Recent activity”). End every session except the one you're currently using. This invalidates any session tokens the attacker may have, even if they haven't used your password directly.
Step 3: Enable two-factor authentication
If 2FA wasn't on, turn it on now using an authenticator app (Google Authenticator, Authy) rather than SMS if your provider offers the choice. This means even if the attacker still has your old password, they can't log back in.
Step 4: Check for hidden attacker modifications
Attackers often make changes designed to persist after a password reset. Check all of the following before you consider the account clean:
- Email forwarding rules — Settings → Forwarding (Gmail) or Settings → Mail → Forwarding (Outlook). Delete any address you didn't add.
- Filters and auto-rules — Attackers sometimes create filters that silently delete security alerts or forward specific emails (bank notifications, password resets) to themselves.
- Auto-reply messages — Check for any vacation or out-of-office replies added without your knowledge.
- Connected apps and OAuth permissions — Remove any third-party app access you don't recognize (Google: Security → Third-party apps with account access).
- Recovery phone and email — Verify the attacker hasn't swapped your account recovery options to ones they control.
Step 5: Scan your Sent folder and notify contacts
Look through your Sent folder for emails you didn't write. If the attacker sent phishing messages from your account, let your contacts know: your account was briefly compromised, and they should not click any links in recent messages from your address.
Secure the accounts that depend on your email
Your email is the master key to most of your online life. Anyone who had access to your inbox — even briefly — may have used your “Forgot password” flows to reset credentials on other accounts. After securing your email, change passwords on:
- Your bank and any financial accounts
- PayPal, Venmo, Cash App, or any payment platform
- Amazon, eBay, and any shopping accounts with saved payment methods
- Social media accounts (Facebook, Instagram, LinkedIn)
- Any account that uses your email for login or recovery
If you reused your email password on any of those sites, change those too — and consider using a password manager going forward so each account has a unique credential.
How to prevent this from happening again
The QR code exploited a gap that exists in every phone's default scanner: it opens the destination URL instantly, without showing you where you're going. A safe QR scanner checks the link before your browser loads anything.
Beyond the scanner, two habits protect you:
- Never log in through a page you reached by scanning a QR code. If a page asks for your email credentials, close it and navigate directly to the provider's address by typing it yourself.
- Always glance at the URL before entering anything. A phishing page mimicking Gmail might use “g00gle.com,” “gmail.login-secure.com,” or similar. If the domain isn't exactly right, close the tab.
Frequently asked questions
Can scanning a QR code compromise my email account?
Yes, indirectly. A QR code can redirect you to a convincing fake login page. If you entered your credentials there, the attacker captured them. Simply visiting a page without entering anything carries very low risk on modern phones.
What should I do first if my email was hacked after scanning a QR code?
On a clean device: change your password immediately, sign out of all active sessions in Security settings, enable two-factor authentication, then check for forwarding rules, filters, and connected apps the attacker may have added.
What can an attacker do with access to my email account?
Email access is extremely valuable because most password reset flows depend on it. An attacker can reset passwords for your bank, social media, and shopping accounts; read private messages; set silent forwarding rules; impersonate you to contacts; and export your address book for follow-on phishing.
Should I notify my contacts after my email was hacked?
Yes, if you see any outgoing emails you didn't send. Let your contacts know your account was temporarily compromised and that they should not click any links in messages recently sent from your address.
See where a QR code goes before your phone opens it
QRsafer checks the destination URL for threats before your browser loads anything. A phishing page won't pass. Free on iOS and Android.