Compromised accounts

How can I check if my account has been compromised?

If you think your account may have been compromised, but you're not sure, it may help to follow these steps.

Login Log

It’s a good idea to periodically review your Login Log for any suspicious logins. This page shows the full history of every time your account was accessed over the last four weeks. Logins cannot be edited or deleted from the Login Log.

To view your Login Log, follow these steps:

  1. Go to Settings → Privacy & Security.
  2. Find the Logged in sessions section and click Review access.
  3. Click View all logins in the last 4 weeks.

The Login Log will show you:

  • Service: What service accessed your account (i.e. web, IMAP, CalDAV).
  • Login result: Whether the login was a successful or failed attempt.
  • IP: The IP address of the login.
  • Date: The date and time of the login.
  • Count: How many times this type of login has occurred.
  • Detail: The device or verification method used.

Look for any logins you don't recognize, such as logins in other cities or countries, or logins at times when you weren’t on your account.

Logged In Sessions

Check your Logged In Sessions for any suspicious sessions. On your Settings → Privacy & Security screen, the Logged In Sessions section shows all sessions where your account is currently logged in and allows you to remotely log out of any that you don't recognize, such as sessions in other cities or countries, or sessions on devices that are not yours.

Account recovery options

Make sure your account recovery options are correct. On your Settings → Privacy & Security screen, the Account recovery section shows all recovery options that have been added to your account. If you see an email address or phone number that you don’t recognize as a recovery option, click Manage recovery options and remove it right away. It’s also important to periodically review your recovery options to make sure they are up-to-date in case you are ever unable to access your account.

I see suspicious logins in my Login Log

If you see logins in your Login Log that you don’t recognize, first check to see if the logins say FAIL or SUCCESS. FAIL indicates that the login attempt was not successful and your account was not accessed, while SUCCESS indicates that the login was successful.

Below are some common scenarios that might help you understand successful suspicious logins. If you’re concerned about failed suspicious logins, we recommend viewing this page.

There are logins are from other locations

Seeing successful logins from other cities or countries can be an indicator that a spammer has stolen your login details and accessed your account. When this happens, it’s important to cut off outside access to your account and make sure they cannot regain access by using these steps:

  • Change your password immediately. This automatically cuts off logged in sessions and prevents future unauthorized access, as the spammer no longer has your password.
  • Review your Settings → Privacy & Security page. Check for recovery options (email addresses or phone numbers) that are not yours or app passwords you don’t recognize. If you see an email address, phone number, or app password that you don’t recognize, remove it right away.
  • Look into additional ways you can keep your account safe from future spammers, such as 2FA or a password manager.

This login is from a town nearby

Locations based on IP address are approximate. Location detection when connected on mobile networks can be even less accurate based on the nearest cell tower. It's not uncommon for the nearest cell tower to be in a different city within an approximate 30-45 mile radius. This usually explains login log entries occurring in other cities that are nearby. Login logs can also show other cities if you access your account while connected to the wifi for a large organization that would have its own network, such as a hospital or university.

I don’t remember logging in at the time shown here

Check if the login says IMAP on the left side. If so, this means that the “login” was a connection through a program using IMAP, such as an email app (Mail, Spark, etc.) or an email client (Outlook, Thunderbird, Mac Mail, etc.). Most likely, an IMAP login at an unexpected time shows that a mail client/app you use was connecting to the server to see if you received new mail.

I left my account logged in on a public computer

You can remotely log out of any device you are currently logged into. On your Settings → Privacy & Security screen, the Logged In Sessions section shows all sessions where your account is currently logged in and allows you to remotely log out of any that you don't recognize, such as sessions in other locations, or sessions on devices that are not yours.

I think my account details have been stolen

You may have other reasons to believe your account details have been stolen. If you're worried about the security of your account, it's a good idea to follow the steps below.

  1. Scan your computers for malware using software from a reputable company. One way that accounts are commonly compromised is through key-logging malware.
  2. If you can still log in, change your password immediately. This automatically cuts off logged in sessions and prevents future unauthorized access from anyone who might have stolen your previous account details.
  3. Once you have access to your account, we highly recommend enabling two-step verification to make it a lot harder for your account to be compromised.
Was this article helpful?
130 out of 175 found this helpful