What are the steps to take if my personal email has been hacked?

The first thing that you need to do is log into your email account and change the password.

You should always take that as the first action in case you’ve got a very malicious hacker (unusual) who wants to take over your account and keep you out of it. Most spammers only want to “use” the account, but they don’t care if you can, too.

So sign in now and change the password, and use a “secure” password that’s composed of a combination of uppercase, lowercase, numerals and “special characters”, as allowed by the system.

You also might want to consider using 2-factor authentication.

Change the password to something strong. Before changing the password, clear the viruses or malware. Notify your friends and family as soon as possible and warn them not to open any mail from you email id. In case you are using the same password for other accounts like Facebook or Twitter better change that too.

Also, check your settings (mail forwarding, filters, etc) to make sure nothing has been setup to divert your mail.

Are you sure the email came from AOL? Hover your mouse over the link and verify that it really was AOL. It can be a Phishing attempt. If it is, NOW they have your password. Change it again. ASAP!

I get emails like that every week from people pretending to be Yahoo, Gmail, My bank, etc. I never click on the link ! I forward the email to the appropriate agency and then delete.

I just went on the AOL account settings and changed password again, today and changed security question. I also did the 2-factor authentication, as per @hominid.

That will help. When you received the “unusual activity” email did you click the link they included? If yes, sadly that was the time you gave them access to your email address list and old emails.
Now your contacts will be receiving invitations to russian porn sites and other scams.
Slime bags.

Check the full header of the suspicious emails you received. It might not be immediately obvious how to view them; in this case you will have to contact your email provider to find out how to see them.
Some spammers and dumb bots will attempt to ‘spoof’ their email address by supplying a different one in the From: field of the header. A careful reading of the header will reveal a different story. For more information:

http://www.arclab.com/en/amlc/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html

The message routing might well reveal that the spam messages are not coming from your own email after all, and from whence they do come. Once you have that information you can report them to your ISP and to SpamCop.

Even if this is the case, you should still change your password anyway.

When making a new password – to avoid getting hacked again – try going for a minimum password length of 12 to 14 (I prefer 14) characters if permitted, avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, past and current romantic links, or biographical information (i.e., ID numbers, ancestors’ names or dates, this all is probably the BIGGEST no-no),and you should try to include numbers and symbols in password if allowed.

And do try to avoid using the same password for multiple sites.

That email regarding changing your email…. may be the source of the whole problem. I know gmail recently had a scam email going about asking to do something similar.

http://www.huffingtonpost.com/2014/03/18/gmail-scam-phishing_n_4986510.html

I love the idea of 2-factor authentication, @hominid, but I have one huge problem with it. If I travel overseas my phone won’t work there. So if I do set up the 2-factor authentication – and then travel overseas at some point and require another computer to log in (and that’s the most likely place that I might, for example, run up against a broken or stolen or just not-with-me computer and have to sign in from someone else’s) then I could never take the call to complete the authentication.

Otherwise it seems like a great idea.