AshetraceGet assessment
A phone and laptop side by side on a dark desk, the two device surfaces where account session activity shows up.

Threat Intelligence

How do I know if someone is logged into my account?

To know if someone is logged into your account, open the account's security settings and read its list of active sessions and devices: each shows a device, a location and a last-active time, and any entry you don't recognize is a live intrusion you can end. Then check for quieter signs, such as new mail-forwarding rules, unfamiliar third-party apps or changed recovery details. One caution shapes all of it: a stolen session cookie can grant access with no password and no MFA prompt, so a silent account is not proof of a safe one. SpyCloud found 17.3 billion stolen session cookies circulating in 2024.

Key takeaways
  • The fastest check is the built-in active-sessions list. Google, Microsoft, Facebook, Instagram and GitHub all show every signed-in device and let you sign it out.
  • A stolen session cookie replays an already-authenticated session, so it skips the password and the MFA prompt. SpyCloud counted 17.3 billion of them in circulation in 2024.
  • No login alert is not proof of safety. Cookie replay produces no new sign-in, so absence of an alert can mask an active intruder.
  • Look past the login list. Attackers add mail-forwarding rules, grant malicious OAuth apps and change recovery methods to keep access after a password reset (CISA, Microsoft).
  • Stolen credentials are the top initial-access vector, used in 22% of breaches (Verizon 2025 DBIR), and median attacker dwell time is 11 days (Mandiant M-Trends 2025).

How do I know if someone is logged into my account?

Open the account's security page and read its active-sessions or devices list. Every major service keeps one, and it names each signed-in device, the rough location and when it was last active. Any session you can't place is the answer to the question, and you can end it on the spot. This matters because stolen credentials were the single top initial-access vector in 22% of breaches (Verizon 2025 DBIR).

The sessions list is the strongest signal, but it isn't the only one. Intrusions also leave secondary marks: a sign-in from a country you've never visited, a device model you don't own, mail that's been read or deleted, or a security email you never triggered. Treat the visible indicators below as a checklist, then confirm each one against the service's own session log.

  • Unknown devices or browsers in your account's device list.
  • Sessions from a city or country you haven't logged in from.
  • A new active session you didn't start, still showing as live.
  • Mail-forwarding rules or inbox rules you never created.
  • Unfamiliar connected or third-party (OAuth) apps with access.
  • Changed recovery email, phone or MFA method you didn't set.
  • Activity, sent mail or posts that don't appear in your own history.
22%Of breaches used stolen credentials as the initial-access vector (Verizon 2025 DBIR)
11 daysMedian attacker dwell time before discovery (Mandiant M-Trends 2025)
17.3BStolen session cookies circulating in 2024 (SpyCloud)

Where do I view active sessions and devices on each service?

Mandiant put the global median attacker dwell time at 11 days, so unnoticed access is common (Mandiant). Every major platform exposes a signed-in-devices page, usually two or three clicks inside security settings. Below is the exact path for the five accounts attackers target most. Each list lets you end a session you don't recognize, which immediately logs that device out.

Google

Go to your Google Account, open Security, then in the Your devices panel select Manage all devices. Google lists every device signed in now or recently; pick any you don't recognize and choose Sign out (Google Account Help).

Microsoft

Check the Recent activity page for each sign-in's date, location and type, then use Sign out everywhere on the Advanced security options page to end sessions on all devices within 24 hours (Microsoft Support).

Facebook and Instagram

Both live under Accounts Center then Password and security then Where you're logged in. The list shows each device and location with access, and you can log out of anything unfamiliar (Facebook Help, Instagram Help).

GitHub

Under Settings, open Sessions in the Access section to see active Web sessions and Revoke session on any you don't own. For a fuller picture, Security log lists every action on your account for the last 90 days (GitHub Docs).

Where the sign-in list lives on each service
Google Security → Your devices → Manage all devices → Sign out Microsoft Recent activity → Advanced security options → Sign out everywhere Facebook / Instagram Accounts Center → Password and security → Where you're logged in GitHub Settings → Access → Sessions → Web sessions → Revoke session
The active-sessions path for five commonly targeted accounts. Sources: vendor help docs, accessed July 2026.

Per-service deep-dives will follow, walking each of these platforms screen by screen. For now, the pattern holds everywhere: find the session list, read it, and revoke what you don't recognize.

If there was no login alert, does that mean I'm safe?

No. A missing alert is not proof of safety, because the most common quiet intrusion produces no new sign-in at all. When an attacker replays a stolen session cookie, they reuse a session you already authenticated, so no fresh login event fires and no MFA prompt appears. SpyCloud found 17.3 billion stolen session cookies circulating in 2024, letting attackers impersonate users without credentials, MFA or passkeys (SpyCloud).

This is why the sessions list beats the alert inbox. An alert depends on the service treating the access as new and unusual; a replayed cookie looks like your own continuing session. The active-sessions page, by contrast, shows the raw truth of what's connected right now, whether or not anyone was warned. Isn't the connection you can see more useful than the alert you never got?

It also explains why a password reset alone can fail. Rotating the password invalidates a secret the intruder may not be using. The stolen session token is a separate credential with its own lifetime, and it stays valid until it expires or you explicitly revoke it. Containment means ending the live sessions, not just changing the password.

How intruders get in
Breaches using stolen credentials for initial access (Verizon DBIR) 22% Intrusions with stolen credentials as initial vector (M-Trends) 16% Median attacker dwell time before discovery (M-Trends) 11 days
Initial-access vectors and dwell time. Sources: Verizon 2025 DBIR, Mandiant M-Trends 2025.

What are the quiet signs of intrusion beyond a strange login?

The persistence tricks. Once an attacker is in, the goal shifts from logging in to staying in, and those changes are subtler than a foreign sign-in. CISA has observed threat actors set up email-forwarding rules to quietly siphon a mailbox, searching messages for finance keywords and forwarding hits to their own accounts (CISA AR21-013a). Check your mail rules whenever a login looks off.

  • Mail-forwarding rules that copy your inbox to an outside address you don't own.
  • Inbox rules that auto-delete or file security alerts so you never see them.
  • Third-party OAuth apps you didn't authorize, still holding access to mail and files.
  • A recovery email, phone number or MFA app that has changed without your action.
  • Sent messages, password-reset emails or posts that are missing from your history.

OAuth consent is the one most people miss. An attacker can get a compromised account to grant a malicious app, and that app keeps its access even after you change the password. Microsoft warns that once consent is granted, the app has persistent access to resources like mailboxes and files, and revoking it takes explicit action (Microsoft Learn). Review connected apps as part of every check.

What should I do if I see a session I don't recognize?

Cut the session first, then close the doors it may have opened. Ending the unknown session logs that device out, but an attacker with dwell time has usually planted persistence, and median dwell time is 11 days (Mandiant M-Trends 2025). Work the list below in order so a reset doesn't leave a live token or a hidden rule behind.

  • Revoke the unrecognized session and use the service's sign-out-everywhere option to kill all live sessions at once.
  • Change the password only after sessions are revoked, so the old token can't outlive the reset.
  • Re-enroll MFA and check that the recovery email, phone and second factor are all yours.
  • Delete any forwarding or inbox rules and remove OAuth apps you don't recognize (see MITRE ATT&CK T1114.003 for the forwarding technique).
  • Review the account's security log or recent activity for what the intruder touched while they had access.

For an organization, one account is rarely the whole story. If credentials leaked from an infostealer infection, the same person's saved logins, cookies and tokens for other corporate systems leaked in the same sweep, and none of that shows in a single account's session list. This is the exposure Ashetrace is built to surface: you verify a domain you control and get a scoped view of which identities are already exposed, without handing over any passwords, cookies or tokens.

So the practical answer stays simple. Read the sessions list to see who's connected, don't trust the silence of a missing alert, and check the forwarding rules, connected apps and recovery settings that let an intruder linger after you think they're gone.

Frequently asked

How do I know if someone is logged into my account?

Open the account's security settings and read its active-sessions or devices list. It names each signed-in device, a rough location and a last-active time, and any entry you don't recognize is a live session you can end. Stolen credentials drive 22% of breaches (Verizon 2025 DBIR), so check often.

Where do I see active sessions on Google, Microsoft or Facebook?

Google: Security then Manage all devices. Microsoft: Recent activity plus Sign out everywhere in Advanced security options. Facebook and Instagram: Accounts Center then Password and security then Where you're logged in. Each list lets you sign out any device you don't recognize (vendor help docs, accessed July 2026).

Can someone access my account without a login alert?

Yes. A stolen session cookie replays an already-authenticated session, so no new sign-in event fires and no MFA prompt appears. SpyCloud found 17.3 billion stolen session cookies circulating in 2024, letting attackers impersonate users without credentials, MFA or passkeys. A silent account is not a safe one.

Why isn't changing my password enough?

A password reset invalidates the password, but a stolen session token is a separate credential that stays valid until it expires or is explicitly revoked. Attackers also plant forwarding rules and OAuth apps that survive a reset. Median dwell time is 11 days (Mandiant M-Trends 2025), so revoke sessions and check persistence too.

What quiet signs point to a compromised account?

Watch for mail-forwarding rules, inbox rules that hide alerts, unfamiliar OAuth apps, and changed recovery or MFA settings. CISA observed attackers using forwarding rules to siphon mailboxes (AR21-013a), and Microsoft warns malicious OAuth apps keep access even after a password change.

Sources
  1. Google, See devices with account access
  2. Microsoft, How to sign out of your Microsoft account everywhere
  3. Meta (Facebook), Where you're logged in
  4. Meta (Instagram), View your recent Instagram login activity
  5. GitHub, Viewing and managing your sessions
  6. GitHub, Reviewing your security log
  7. CISA, AR21-013a: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services (2021)
  8. MITRE ATT&CK, Email Forwarding Rule (T1114.003)
  9. Microsoft, Detect and remediate illicit consent grants
  10. SpyCloud, 2025 Annual Identity Exposure Report (2025)
  11. Verizon, 2025 Data Breach Investigations Report (DBIR) (2025)
  12. Mandiant (Google), M-Trends 2025 (2025)
Share

Start here

See what is still exposed in your environment

Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.

Request an exposure assessment