Skip to main content

By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Why did I receive a password reset email I didn’t request?

Unexpected password reset emails don’t always mean your account has been hacked, but it’s important to know how to respond
Tom MorganSenior Consumer Writer

With over a decade of experience at Which?, Tom covers everything from tech advice to money-saving tips, and highlights the best deals during major sales events.

Resetting Facebook password

If you’ve received a password reset email you didn’t request, it could be a sign that someone else is trying to access your account without your permission.

In many cases, these emails are triggered when someone enters your address on a login page – either by mistake or as part of an automated attack using leaked passwords from other websites. This can happen with a wide range of accounts, including email services, social media, online shopping sites and online banking.

Below, we explain how to tell if the email is genuine, and what steps you should take next if you’re sure you didn’t make the request yourself.

Which? Tech Support package

Get tech help from humans

Solve your tech issues and get expert buying advice by chatting to our support team as often as you need. From only £4.99 a month.

Join Which? Tech Support

Already a Tech Support member? For more help and 1-2-1 technical advice, including buying advice, go to our Tech Support online booking tool.

Question of the month: Somebody is trying to reset my password – what should I do?

'I use Outlook and have just received an email from Microsoft saying I requested a password reset. This wasn’t me. I’m worried someone may have hacked my account. What should I do?'

Which? Tech Support member

Why did I receive a password reset email?

LinkedIn password reset email

Assuming you didn’t request a password reset yourself, there’s a chance someone is trying to access your account. For example, a hacker might target your email inbox so they can reset passwords for your other accounts.

But crucially, receiving a password reset email doesn’t mean the attempt was successful.

Instead, it could simply be a sign that your email address is being targeted. In some cases, these attempts are automated – cybercriminals often use lists of leaked usernames and passwords from previous data breaches to try logging into accounts across multiple websites.

It can also be something more harmless, such as someone accidentally entering your email address when trying to reset their own account.

As a precaution, you can check whether your email address has appeared in a known data breach using the website Have I Been Pwned.

Is the email a scam?

It could be. Scammers sometimes send fake password reset messages that appear to come from trusted companies such as Microsoft or Google.

These emails are designed to trick you into clicking a link and entering your details on a fake website. Check the sender’s address carefully and avoid clicking any links if you’re unsure. Scam emails often try to create a sense of urgency, so be wary of messages that push you to act quickly. 

If in doubt, go directly to the company’s official website instead.

For more details, check in with our guide on how to spot an email scam.

Get more from tech

free newsletter

Cut through the jargon with our free monthly Tech newsletter.

Our free Tech newsletter delivers tech-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

What to do if you didn't request a password reset

1. Don't click any links in the email

If the message is a scam, the link could take you to a fake website designed to steal your login details. Instead, open a new browser window and enter the company’s web address yourself to access your account safely.

2. Check the sender's address

Look for anything unusual, such as misspellings, extra characters or a domain that doesn’t match the company’s official website. Be wary of addresses that look similar but use different endings (for example, .net instead of .com). You can also search the address online to see if other users have reported issues.

3. Check your account for unusual activity

Outlook location screen

Log in to your account directly (not via any links in the password reset email) and look for anything you don’t recognise, such as login attempts from unfamiliar locations or devices. Most services have a Security or Recent activity section where you can review this.

The exact steps will vary depending on the service you’re using. For example:

  • On Gmail – on desktop, scroll to the bottom of your inbox and click Details next to Last account activity. On mobile, open the Gmail app, tap your profile picture, then Manage your Google Account > Security and sign-in. Review the Recent security activity and Your devices headings.
  • On Outlook – on desktop, open your Outlook inbox, click the profile icon in the top-right corner and then My Microsoft account. From there, choose Security > See your sign-in activity.
  • On Facebook – on desktop, click your profile picture (top right), then go to Settings & privacy > Settings > Password and security, and check Where you’re logged in. On mobile, tap the menu (three lines), then go to Settings & privacy > Accounts Centre > Password and security > Where you’re logged in.

If you do spot an unknown device or suspicious login attempt, change your password immediately and log your account out of any devices you don’t recognise.

4. Secure your account

Change password on Outlook

Even if you don’t see any suspicious activity, it’s worth taking a few steps to strengthen your account security.

We suggest starting by ensuring your passwords are strong and unique. Avoid reusing passwords across different sites, as this makes it easier for attackers to gain access if your details are exposed in a data breach. See how to create secure passwords for more help.

Turn on two-factor authentication (2FA) if it’s available. Once enabled, it makes your accounts much harder to access without permission by requiring a second step when you sign in, such as entering a code sent to your phone or generated by an authenticator app. It’s also worth reviewing your account recovery settings, such as backup email addresses and phone numbers, to make sure they haven’t been changed without your knowledge.

If your account is protected with a strong password and 2FA, and you can’t see any unusual activity, it’s usually safe to ignore a one-off password reset email. However, repeated requests could indicate someone is trying to access your account, so it’s worth keeping an eye on things.

When you have a couple of minutes, we recommend working through our guide to phone apps you need to secure.

Join Which? Tech Support

Which? Tech Support package

Get tech help from humans

Solve your tech issues and get expert buying advice by chatting to our support team as often as you need. From only £4.99 a month.

Join Which? Tech Support

Which? Tech Support can help you keep on top of your home tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices.

Get unlimited 1-2-1 expert support:

  • by phone – clear guidance on choosing, setting up, using and resolving issues with your home tech devices.
  • by email – outline the issue, and we’ll email you our answer.
  • by remote fix – we connect securely from our office to your home computer and resolve issues while you watch.
  • in print – Which? Tech magazine – six issues a year delivered to your door.

Join Which? Tech Support.

More on this