A compromised email account is a skeleton key. Attackers use it to reset passwords on every other account, read private correspondence, and impersonate you. Most breaches go unnoticed for weeks or months.

This guide gives you concrete methods to detect compromise, investigate the extent of damage, and lock things down.

Signs Your Email May Be Compromised

• Contacts report receiving spam or phishing messages from you
• You receive password reset emails you didn’t request
• Unknown devices appear in your account’s active session list
• Emails are marked as read that you haven’t opened
• Your sent folder has messages you didn’t write
• You get locked out of your own account
• Emails are being forwarded to an address you don’t recognize

Any single one of these warrants immediate investigation.

Step 1: Check Breach Databases

Start with publicly known breaches. Your credentials may have been leaked from a third-party service you used the same password on.

Have I Been Pwned

# Query via API (no account needed)
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/your@email.com" \
  -H "hibp-api-key: YOUR_API_KEY" | python3 -m json.tool

Or visit https://haveibeenpwned.com directly. Enter your email and check every listed breach.

For each breach, note:

• What data was exposed (passwords, phone numbers, addresses)
• When the breach occurred
• Whether you still use the same password

Check Your Password Directly

HIBP also lets you check if a specific password appears in breach data without sending the password itself (uses k-anonymity):

# Hash your password with SHA-1, send only the first 5 chars
echo -n "yourpassword" | sha1sum | tr '[:lower:]' '[:upper:]'
# Take first 5 chars of output, e.g. "2B3A8"

curl -s "https://api.pwnedpasswords.com/range/2B3A8"
# Returns hash suffixes and how many times they appeared in breaches

If your full SHA-1 hash suffix appears in the results with a non-zero count, change that password immediately.

Step 2: Review Active Sessions

Every major email provider lets you view active sessions. Check these first.

Gmail

1. Scroll to the bottom of the Gmail inbox
2. Click “Details” next to “Last account activity”
3. A popup shows all recent sessions with IP addresses, device types, and timestamps

Look for:

• Unrecognized countries or cities
• Sessions at odd hours
• Device types you don’t own

If anything looks wrong, click “Sign out all other web sessions.”

Proton Mail

Settings > Security > Active sessions — lists all devices with last activity timestamps.

Outlook / Microsoft

Visit https://account.microsoft.com/security and check “Review recent activity.” Microsoft shows login locations on a map.

Check via CLI for Self-Hosted Mail

If you run your own mail server, check auth logs:

# Postfix/Dovecot auth attempts
sudo grep "authentication failed\|login" /var/log/mail.log | tail -100

# Failed IMAP logins
sudo grep "imap-login" /var/log/dovecot.log | grep "Aborted login\|Disconnected" | tail -50

Step 3: Check for Email Forwarding Rules

Attackers frequently set up silent forwarding rules so they keep receiving your email even after you change your password.

Gmail

Settings > “See all settings” > Forwarding and POP/IMAP tab

• Forwarding: should say “Forwarding is disabled” unless you set it up
• Check the forwarding address if enabled

Also check Filters and Blocked Addresses — attackers sometimes create filters that auto-forward specific messages or delete security alerts.

Outlook

Settings > Mail > Forwarding — should be disabled.

Settings > Mail > Rules — look for any rules you didn’t create, especially ones that forward, delete, or move emails.

Check via Gmail API

import googleapiclient.discovery
from google.oauth2.credentials import Credentials

# Requires Google API credentials setup
creds = Credentials.from_authorized_user_file('token.json')
service = googleapiclient.discovery.build('gmail', 'v1', credentials=creds)

# List forwarding addresses
result = service.users().settings().forwardingAddresses().list(userId='me').execute()
print(result)

# List filters
filters = service.users().settings().filters().list(userId='me').execute()
for f in filters.get('filter', []):
    print(f)

Step 4: Check Connected Apps and OAuth Grants

A compromised account may have authorized malicious third-party apps that maintain access even after you change your password.

Gmail OAuth Apps

Visit https://myaccount.google.com/permissions

Revoke anything you don’t recognize or no longer use.

Microsoft

Visit https://account.microsoft.com/privacy/app-access

General approach

For any suspicious OAuth app:

1. Revoke the app’s access immediately
2. Note what data the app had access to (mail, contacts, calendar)
3. Assume that data has been copied

Step 5: Examine Recent Account Activity

Gmail Activity Log

Gmail’s full activity log is at https://myactivity.google.com — this shows searches, reads, and interactions with your Google account.

Download Your Data

Request a complete export of your account data to check what’s there:

• Gmail: https://takeout.google.com
• Proton: Settings > Account > Account data export

This gives you a baseline of what an attacker could have accessed.

Check Sent Folder

# If using Thunderbird or similar with local storage, search for unauthorized sent mail
grep -r "From: your@email.com" ~/.thunderbird/*/Mail/*/Sent* | tail -50

Step 6: Check for Credential Leaks on Paste Sites

Credentials sometimes appear on paste sites like Pastebin before they’re indexed by HIBP.

Use Google dorking:

site:pastebin.com "your@email.com"
site:rentry.co "your@email.com"

Also search your username, not just email address.

Step 7: Secure the Account

Once you’ve identified a compromise:

1. Change your password immediately — use a password manager to generate a 20+ character random password
2. Enable two-factor authentication — hardware key (YubiKey) or TOTP app, not SMS
3. Sign out all other sessions — invalidates any stolen session tokens
4. Remove unauthorized forwarding rules and filters
5. Revoke unknown OAuth apps
6. Check your recovery email and phone number — attackers change these to lock you out
7. Alert your contacts — let them know if you sent spam
8. Check other accounts — if the same password was used elsewhere, change all of them
9. File a report with your email provider if you suspect targeted attack

Ongoing Monitoring

Set up monitoring to catch future compromise faster:

# HIBP monitoring — requires paid API subscription
# Alerts you when your email appears in new breaches
curl -s "https://haveibeenpwned.com/api/v3/subscriptionstatus" \
  -H "hibp-api-key: YOUR_API_KEY"

Also enable login notifications in your email provider’s security settings — most providers can email or push-notify you on new sign-ins from unfamiliar devices.

Related Articles

• How To Detect If Your Email Address Has Been Sold To Marketi
• What To Do If Your Biometric Data Fingerprint Was Compromise
• Cloud Storage Security Breach History: Compromised.
• How to Check if Your Smart Home Devices Are Compromised
• Communicate with Lawyer Privately When Device is Compromised

Built by theluckystrike — More at zovo.one