Account Theft

Unknown sent messages or contacts

• One of the first signs is the appearance of something in your account that you didn’t create—most often spam messages in the Sent folder. Because most compromised accounts are used to send spam, this is the most common symptom.
• Sometimes, attackers delete the sent messages to hide their activity. That’s why it’s important to look for anything unusual: unknown addresses popping up when you compose a new email, replies to messages you never sent, and so on.

Emails stop arriving or are missing

• Some attacks are aimed at intercepting your emails. The attacker may create forwarding rules that send all incoming mail to another email address—and then delete the forwarded message.
• In sabotage-type attacks, the goal may simply be to harm you. They might delete your mail or set up a rule that automatically deletes any new messages. If this happens, make sure to check and remove any suspicious rules in your account settings.

You receive a flood of “undeliverable” message notifications

• These messages, often from “Mailer Daemon” or “Mail Delivery System”, indicate that emails supposedly sent from your account couldn’t be delivered. This might mean someone used your address—either actually from your account or faking it—to send spam.
• Even if your address was only spoofed, it’s worth reviewing your account’s security settings. It’s not always easy to tell what happened unless you analyze the message headers, which sometimes include the IP address of the sender.

Your account is locked or you’re forced to change your password

• If you log in and see that your account has been locked or you’re being forced to change your password, it means our system detected suspicious activity and proactively blocked access.
• We monitor dozens of parameters to automatically detect unusual behavior or spam patterns. If you were knowingly sending bulk emails at the time, that might have triggered the block. Otherwise, follow the steps outlined in the Forced Password Change guide and Account Block Information.

Login alerts from abroad

• Most spam-related attacks originate from outside the country, often from regions with low internet regulation. That’s why we track where logins are coming from, and if we notice unusual foreign activity, you’ll see a notification bar in your inbox listing the countries involved. This allows you to decide whether the login was legitimate or not.

1. Check your recovery contacts

• An attacker may have set up their own recovery contacts to regain access later. Go to Account Settings > Security and make sure your recovery email and phone number are correct. Change them if needed.

2. Immediately change your password

• Create a brand-new password that you’ve never used before, and don’t reuse it on any other website. The password should be strong and unique—ideally nothing resembling your email address. Read more tips in our Secure Password Guide.
• If you use two-step verification, make sure to update the password used for mail protocols and xDAV as well.

3. Log out of all devices

• Use the Account > Active Sessions feature to log out from everywhere with a single click. Changing the password alone doesn’t end active sessions. This step also kicks out any attacker who might still be logged in.
• You can find detailed steps in our article about Active Session.

4. Enable two-step verification

• After securing your account, enable two-step verification. This adds a layer of protection by alerting your verification device every time someone tries to log in. If an attacker tries again, you’ll get a prompt—and you can simply deny the access.

Sending spam

• Attackers control large numbers of hacked accounts, using them to send spam through so-called “spambots”. These bots distribute spam from thousands of different email addresses, making them hard to block.

Accessing other services

• Once an attacker knows your email and password, they may try logging into other online services you use. This can include social media accounts (Facebook, Instagram), gaming accounts (Steam, Epic Games), and more. They may change passwords, cause damage, or even sell the accounts.

Stealing financial information

• An attacker may look for credit card info or try to access your online banking, PayPal, or Revolut accounts. If they get in, they may transfer your money elsewhere.

Sabotage and harm

• Some attackers do it just to cause trouble or because they enjoy the power.

Identity theft

• This is one of the most serious consequences. If an attacker finds your personal data, contacts, or scanned IDs in your inbox, they could use your identity to commit crimes—both online and offline.

Phishing

• An attacker may send phishing messages from your account, impersonating banks, PayPal, Airbnb, or even your friends.

Selling stolen data

• Sometimes attackers don’t use the accounts themselves but sell them or the information they contain. Email-password databases are valuable on the dark web.

Posting fraudulent ads

• Organized crime groups use stolen accounts to post fake ads (e.g. cars, rentals). They communicate with buyers, ask for advance payments, then disappear.

Personal motives and blackmail

• Sadly, many attacks are personal—revenge from ex-partners, coworkers, classmates, or business associates. These people may have access to your devices or be able to guess your password based on what they know about you.

The user used their email password on another service with poor security, and the password was leaked

• Based on many analyzed cases, we know that a “leak” doesn’t necessarily mean a sophisticated hack. Attackers usually target smaller shops, forums, dating sites, and other services that don’t have strong password storage security. Once they access such a user database, they look for people who use the same password for their email inbox.

Phishing messages

• Phishing is a favorite method among attackers. It’s a type of email where the attacker pretends to be another company or person and tries to trick you into entering your password on a fake website. The attacker may pretend to be Seznam.cz or another service, including a link to a fake login page that looks similar to the original. The message often includes a pretext – for example, claiming your inbox will be deleted unless you log in. You can find an example and more information in the article Safe Behavior Online.

The user shared their password with another person, who then changed it

• You should never share your password with anyone – especially not with someone you barely know or met only online. This also includes the risky practice of buying and selling online accounts. It’s not uncommon that if you buy an account for an online game, the seller gives you the login email and password, but if they still have access to the linked email inbox, they can reset the password and reclaim the account. The same applies to email inboxes – such activity is against our terms and should be avoided. There’s a risk the seller retains the ability to reset the password and steal the account back.

The user shared their security questions or password reset PIN with someone

• If you receive a message with a PIN code for password recovery on your phone or secondary email without having requested it, someone may be trying to access your account. Be very cautious and never share the PIN, even if the request comes from friends or family. We’ve seen attacks where attackers ask for the PIN using hacked Facebook profiles of your friends.

The attacker gained access to verified recovery contacts

• This isn’t common, but it can happen – for example, through a lost phone, SIM card cloning, or a compromised email address set as a recovery method for another account.

The password was weak and someone guessed it or saw the user typing it

• It’s a major mistake to use a password that resembles your email address or includes personal details (names of family members or pets, birthdays, nicknames, etc.). See more in the article Secure Password.

The user’s device was infected with malware or connected to an unsecured network

• In rare cases, a password can be captured on the user’s device when typing it (e.g. keyloggers or other password-stealing malware). If the attacker is connected to the same unsecured Wi-Fi, they may also intercept the password when logging into an unsecured website.

Secure password

• Use a strong and unique password for your Seznam account – one that isn’t used anywhere else and can’t be guessed by someone who knows you. Consider using a password manager. You can find tips in our article Secure Password.

Safe behavior online

• Read the rules for safe online behavior to stay prepared. Be aware of suspicious activity and ignore strange or untrustworthy emails. Always check the web address before entering your password, and never share your password or other security details (contacts, PINs, etc.) with anyone.

Two-step authentication

• Consider enabling two-factor authentication. This feature will notify you when there is a login attempt from a new device. If someone tries to access your inbox, a notification will appear on your phone or computer and you’ll be able to block the login.

Verified recovery contacts

• A verified phone number or email address greatly increases your chances of recovering an account if the password is changed by an attacker.
• Recovery contacts also allow for an additional function – if we detect a suspicious password change, we’ll send a so-called password change veto to your verified contact. You can cancel the change immediately and restore your password. Email is the preferred method; if no email is verified, we’ll send the veto via SMS. Note: the veto is not sent for every password change, only for those that seem suspicious.

Protection against malware and viruses

• As a general computer protection rule, use antivirus software and keep your firewall active. These applications monitor internet traffic, downloaded files, opened attachments, websites, and other potential sources of infection. A device infected with malware can send sensitive information to the attacker, often leading to stolen login credentials. The computer may also send spam or become part of a larger botnet spreading the infection.