This is a relatively common question. Other recent examples include “Someone is using my Gmail account to steal my data on a game. How do I get rid of him?” from Rodimus Ghost, and “My daughter is using my Gmail account. How do I stop her?” I don’t recall getting these queries about other email services.
My usual response is: “How do you know?”
There might be emails in the Sent Mail folder that you didn’t write, though hackers can cover their tracks by deleting copies of sent emails. However, incoming emails are not an indicator. I’ve had emails from Instagram, GoCompare, Barclaycard Business, Apple, Prattville YMCA and many other organisations where people have entered my Gmail address, probably by mistake. It doesn’t mean they have accessed my account.
The best way to tell if someone else has used our account is to scroll down the Gmail inbox and look for “Last account activity” in the bottom right. Clicking on Details produces a nice table that shows how someone accessed the account (browser, mobile, POP3 etc), their IP address, and the date and time. You should recognise any sessions that aren’t yours.
In fact, Gmail will, by default, notify you of any unusual activity. You may get an alert if you log on with a new device or from a different country. These alerts can be annoying but they increase your security. Don’t turn them off.
You can also check the Recently used devices page, which lists all the PCs, phones and tablets used in the previous 28 days. Again, it should be obvious if any of them are not yours.
There are simple ways to read someone else’s emails without leaving obvious traces. These are controlled from Gmail’s Settings, which you can find by clicking the cogwheel in the top right.
On the Settings page, click Accounts and Import and go to the penultimate entry: “Grant access to your account”. Someone could click “Add an email account”, enter another Gmail address, and access your emails from that account. They can keep these emails marked as Unread even if they’ve read them.
Next, click Forwarding and POP/IMAP and review the top section on mail forwarding.
Email services allow users to forward all incoming emails to another email address, and I think everyone should do this. I have Gmail forward all my emails to my account at Microsoft’s Outlook.com. As a result, I can still read and reply to emails even if Gmail is inaccessible. Further, if Gmail locked me out, I’d still have copies of emails going back to April 2004.
So, if you can access someone’s mailbox, you can set up mail forwarding to an address that you control, and they’ll probably never notice. Make sure nobody has done that to you.
If you only read Gmail in a web browser, you could also disable the POP and IMAP access features. This would provide a small increase in security, but I don’t recommend it. In fact, there are advantages to using a PC email program such as Microsoft Outlook, Thunderbird or eM Client to collect Gmail using the IMAP protocol. These programs have more features than the web version of Gmail, and they store emails on your PC so that you can easily access them offline. IMAP leaves the original emails online, so you can still access them using different devices. (Yes, you can also install “Gmail Offline” via the Offline tab.)
Remember to save any changes before switching tabs.
Once you are sure your mailbox is not being hacked, change your password to keep other people out.
In Gmail, go back to Accounts and Import and click “Change password”.
Choose a strong password or passphrase that includes numbers and upper-case characters. Gmail requires at least eight characters, but aim for 12 or 16 or even more. Longer is better. It won’t be random, unless you use a password manager, but avoid family names, names of pets, birthdays, sports teams and other obvious elements.
For convenience, your browser or email program can remember your password. If you allow this, your email is only as secure as your PC. Anyone who can access your PC can access your email.
Nowadays, of course, the simplest way to hack someone’s email is to use a phishing attack. In this case, someone sends you a link in an email that pretends to come from Google. Clicking the link opens a browser tab where “Google” asks you to log in with your email address and password. The attacker harvests the results.
If you’re going to leave your PC unattended or fall for a phishing attack, it doesn’t matter how strong your password is.
Do the two-step
If someone can access your Gmail account, they can change your password and lock you out. You can prevent this by using “two-step verification”. With Gmail, this usually means Google will text a code to your mobile phone. This is fine until you don’t have a signal or lose your phone. Gmail therefore asks for a back-up phone number. (Landlines work: you get a voice message.) Gmail also allows you to print out a small set of verification numbers that you can use when travelling.