Can I ignore a suspicious login alert if I think it was me?

Yes, if the details match your actual activity. If you logged into your Google account from a new laptop, traveled recently, or connected via VPN (which changes your apparent location), the alert is precautionary. Most services include a 'This was me' link to dismiss it. If you're genuinely uncertain — the location is plausible but you don't remember logging in — it's worth checking your active sessions page to confirm the device is one you recognize.

How did someone get my password if I never shared it?

Passwords are most commonly obtained through: data breaches (a service you use was hacked and your credentials were leaked — check haveibeenpwned.com with your email), phishing (you entered your credentials on a fake login page), credential stuffing (attackers try username/password combinations from leaked databases against other services), or malware on a device that captured keystrokes. Haveibeenpwned.com will tell you if your email has appeared in known data breaches.

What should I do if the suspicious login alert was for my email account?

Email is the highest-priority account to secure because it's used for password recovery on everything else. Change the password immediately, enable 2FA, check the Sent folder for emails you didn't write (attackers sometimes use compromised email to send phishing messages or reset other account passwords), check for any forwarding rules that might be silently copying your email to an attacker's address (Settings > Forwarding), and check that the recovery email and phone number haven't been changed.

Does a VPN trigger suspicious login alerts?

Yes — VPNs change your apparent IP address and therefore your apparent geographic location. If your account normally sees logins from New York and you connect via a VPN server in Amsterdam, the service may generate a suspicious login alert because the location changed dramatically. This is a false positive. If you use a VPN regularly, the alerts will become less frequent as the service learns the VPN's IP range as a familiar location.

Got a Suspicious Login Alert? Here’s What to Do

Most alerts are precautionary — triggered by a new device or VPN. But a small number are real threats. Here’s how to tell which and what to do.

Quick Answer

✓Check the alert details — most show a device type, location, and time. If it matches something you actually did (including browsing via VPN), no action is needed.
✓If you don't recognize the activity, change the account password immediately — don't wait to investigate further first.
✓Enable two-factor authentication if you haven't already — this is the most effective step to prevent unauthorized access even if your password is known.
✓If you reuse this password on other accounts, change it there too — password reuse is how one compromised account becomes many.

What Triggers These Alerts

You logged in from a new device, browser, or location

Most Likely

Most online services track logins by device fingerprint, browser, and approximate IP-based location. Any login that differs from your usual pattern — a new phone, a different browser, a work computer, or even using a VPN that changes your apparent location — can trigger a precautionary alert. The vast majority of suspicious login alerts fall into this category. The alert is the service doing its job, not necessarily evidence of a problem.

A family member or shared device user accessed the same account

Common

If multiple people use the same account — a shared streaming service, a family Google account, a joint email — a login from someone else in the household from their own device appears as an unfamiliar device and location to the service. This is a common source of confusing alerts that aren't security threats. Checking 'Active Sessions' or 'Recent Activity' in the account settings typically shows the device and location clearly enough to identify.

Someone else has your password and is attempting unauthorized access

Less Common

This is the least common but most serious cause. Unauthorized logins typically come from unfamiliar countries or continents, are at unusual hours, or are followed by account changes (password change, recovery email update, suspicious purchases). If the location in the alert is somewhere you've never been, treat it as a real threat and act immediately — change the password and enable 2FA before investigating further.

What to Do

Read the alert details carefully before acting

Open the alert email or notification and look at the details provided: the device type (iPhone, Windows PC, Android), the approximate location (city and country), and the time. Cross-reference these with what you actually did around that time. A login from 'Chicago, Illinois' on an 'iPhone' at 3pm is probably you. A login from 'Lagos, Nigeria' on a 'Windows PC' at 3am is not. Most services also include a 'This was me' / 'This wasn't me' button that lets you confirm or report the activity directly.

If you don't recognize it, change your password immediately

Don't wait to investigate further — change the password first. Go to the account's Security settings and change to a strong, unique password that you don't use anywhere else. A strong password is at least 12 characters with a mix of letters, numbers, and symbols, or a random passphrase (e.g., 'correct-horse-battery-staple'). Using a password manager to generate and store unique passwords is the most reliable long-term approach.

Pro tip: Change the password from a device and network you trust — not the same device or network where the suspicious login occurred, in case it's compromised.

Check active sessions and log out unknown devices

Most major services offer a 'Recent Activity,' 'Active Sessions,' or 'Where you're signed in' page in Security settings. Google: myaccount.google.com > Security > Your devices. Apple: appleid.apple.com > Devices. Microsoft: account.microsoft.com > Security > Activity. Review the list, identify any devices you don't recognize, and sign them out. This terminates any active sessions the unauthorized user may have.

Enable two-factor authentication

Two-factor authentication (2FA) requires a code from your phone in addition to your password. Even if someone obtains your password, they cannot access your account without the second factor. Enable 2FA in the account's Security settings — most major services support both SMS codes and authenticator apps (Google Authenticator, Authy, Microsoft Authenticator). Authenticator apps are more secure than SMS. See our full guide: 'How to Set Up Two-Factor Authentication.'

Check for and change reused passwords on other accounts

If you use the same password on multiple accounts, any account where that password was compromised becomes a potential entry point for all the others. Check whether you've used this password elsewhere and change it on each account that shares it. A password manager like Bitwarden (free), 1Password, or Dashlane can audit your stored passwords for reuse and help you replace them with unique ones.

For financial or sensitive accounts, check for unauthorized changes

If the alert is for a bank, email, or account tied to financial services, check for any unauthorized changes after securing access: look for new payees, changed contact information, sent emails you didn't write, or purchases you didn't make. Contact the service's support team if you find anything suspicious — most financial institutions have dedicated fraud teams and may be able to reverse unauthorized transactions.