How to Check if Someone Accessed Your Google Account
A practical guide for when you suspect monitoring—not paranoia
You're reading this because something feels off. Maybe your partner mentioned something from an email you never told them about. Maybe you're going through a divorce and suspect your ex has access. Maybe you noticed your phone acting strangely.
You're not paranoid. Account monitoring is extremely common—especially in relationships where one person wants control. A 2023 study found that 75% of domestic abuse shelters reported clients whose abusers monitored their email accounts. It happens in custody disputes, workplace conflicts, and stalking situations constantly.
This guide will help you find out what's actually happening, document evidence properly, and understand your options.
Before You Do Anything: The Evidence Paradox
If this is purely about securing your account and you don't need evidence, skip to "Securing Your Account" at the end. But if there's any chance you'll need to prove what happened—read this section carefully.
What Google Actually Logs (And What It Doesn't)
Understanding what data exists helps you know what to look for:
| Google Logs This | Google Does NOT Log This |
|---|---|
| Device type and browser used for each login | Exactly which emails were read |
| Approximate location (city-level from IP address) | How long someone spent in your account |
| Timestamps of sign-ins and security events | What files they looked at in Drive |
| Third-party apps granted access | Whether they exported/downloaded your data |
| Password/recovery changes | Screen recordings of their activity |
| Email forwarding rules created | Their identity (only IP/device) |
The key insight: Google can prove that someone accessed your account from a specific device and location, but can't prove who was using that device. If you're trying to prove a specific person did this, you'll need to connect the device/location to them (e.g., it's their home IP, their known phone model, etc.).
Step 1: Check Active Sessions (Who's Logged In Right Now)
Go to myaccount.google.com/device-activity
This shows every device currently signed into your Google account. For each device, you'll see:
- Device type — "iPhone," "Windows computer," "Android phone," etc.
- Location — City and country (based on IP address)
- Last activity — When it was last used
What to look for:
- Devices you don't recognize (especially if the model matches someone you suspect)
- Locations that don't make sense (their city, not yours)
- Multiple devices of the same type (two iPhones when you only have one)
Document it: Screenshot this page. Include the date in your screenshot (take a photo of the screen with your phone showing the date, or use a screenshot tool that timestamps).
Step 2: Check Security Event History
Go to myaccount.google.com/notifications
This shows recent security events—but Google only displays about 28 days here. Events include:
- New sign-ins (including location and device)
- Password changes
- Recovery email/phone changes
- 2-factor authentication changes
- New app access granted
Red flags:
- Sign-ins from locations you weren't at (especially at times you were home/asleep)
- Recovery info changes you didn't make (this is how people maintain access)
- Security features disabled (especially 2FA turned off)
Step 3: Check for Hidden Surveillance (Forwarding & Apps)
These are the sneaky methods—someone can read everything you receive without ever logging into your account directly.
Email Forwarding
Open Gmail → Settings (gear icon) → See all settings → Forwarding and POP/IMAP
If "Forward a copy of incoming mail to:" shows an email address you don't recognize, someone is receiving copies of every email you get. This is very common in monitoring situations because it doesn't require repeated logins.
Also check: Filters and Blocked Addresses. Look for filters that forward, delete, or mark emails as read automatically. Abusers sometimes create filters like "if email contains 'lawyer' or 'divorce' then forward to..."
Third-Party App Access
Go to myaccount.google.com/permissions
This shows every app and service that can access your Google data. Some monitoring tools disguise themselves as legitimate apps. Look for:
- Apps you don't remember installing or authorizing
- Apps with vague names or names that sound like system utilities
- Apps with extensive permissions (especially "See and download all your Google Drive files" or "Read your email")
Step 4: Export Your Complete History
Google's web dashboard only shows ~28 days. For a complete record—and for evidence that could matter in legal proceedings—you need your full data export.
- Go to takeout.google.com
- Click "Deselect all" first
- Select these specific items:
- Access Log Activity — Every login to your account
- My Activity — Search, browsing, app usage
- Google Account — Account settings and changes
- Choose .zip format, single export
- Request the export (Google emails you when it's ready, usually within hours)
This export contains JSON files with every login attempt, IP address, device identifier, and timestamp—going back years. The problem: these files are nearly impossible to read manually. A typical export has thousands of nested records.
Making Sense of Your Export
You have a few options:
Option 1: Manual review (free, tedious)
Open the JSON files in a text editor and search for specific dates, IP addresses, or device names. This works if you're looking for something specific, but you'll miss patterns.
Option 2: Use ForensAI (what we built)
ForensAI automatically parses Google Takeout exports and flags suspicious patterns—logins from unusual locations, device changes, impossible travel (logging in from two distant cities within hours), access during sleeping hours, and more. The free version shows you your top red flags. Full Forensics ($179 one-time) unlocks unlimited scans, complete analysis of all patterns, and professional PDF reports you can share with attorneys. Everything runs on your device; nothing is uploaded anywhere.
Option 3: Hire a forensic examiner
If you need court-admissible evidence with expert testimony, a licensed forensic examiner can analyze your export and provide declarations. This typically costs $3,000-$10,000. ForensAI can help you do initial analysis to decide if professional help is warranted.
What Unauthorized Access Actually Looks Like
Based on thousands of analyses, here are the real patterns (not Hollywood hacking):
Scenario 1: Partner/Ex Monitoring
Usually shows as consistent access from a device that matches their known phone or computer. Logins often happen shortly after you receive important emails (they're checking frequently). Location matches their home or workplace. This is the most common pattern we see.
Scenario 2: Shared Device Access
If you ever logged into Google on their computer/phone and stayed signed in, they don't need your password. This appears as "legitimate" logins from their device because it's using an existing session. Check your active devices.
Scenario 3: Password Compromise
Shows as new sign-ins from unfamiliar devices. Often follows a pattern: first login, then password change or recovery email added (to maintain access), then ongoing access. Check if your password was in any known data breaches at haveibeenpwned.com.
Scenario 4: Forwarding/App Surveillance
May show NO suspicious logins at all because they're not logging in—they're receiving forwarded copies or using an authorized app. This is why checking forwarding rules and app permissions is critical.
Securing Your Account (After Documenting)
Once you've captured all the evidence you need:
- Change your password to something completely new (not a variation of old passwords)
- Enable 2-factor authentication using an authenticator app (not SMS—that can be intercepted)
- Remove unrecognized devices from your device list ("Sign out" each one)
- Revoke suspicious app access from the permissions page
- Delete forwarding rules and suspicious filters
- Change recovery email/phone if they were modified without your knowledge
- Review connected accounts — If you use "Sign in with Google" on other sites, those may also be compromised
If You Need This for Legal Purposes
Account access evidence is used in:
- Restraining orders / protective orders
- Divorce proceedings (especially custody disputes)
- Stalking/harassment criminal cases
- Workplace policy violations
For evidence to be useful, you need:
- Documentation with timestamps — Screenshots with visible dates, exported data files with metadata
- Chain of custody — You should be able to explain how you obtained the evidence
- Correlation to a person — Connecting the device/IP to the suspected individual (their known phone model, their home address's IP, etc.)
ForensAI's Full Forensics ($179) generates PDF reports with timestamped findings that attorneys have used in proceedings. Compare that to $3,000–$10,000 for a forensic firm. For matters requiring certified expert testimony, you may still need a licensed examiner—but ForensAI helps you understand what's there first, so you only pay for professional help when it's truly needed.
Related Guides
- Detailed Guide: Downloading Your Google Takeout Export
- How to Check if Someone Accessed Your Facebook Account
- Signs Your Phone is Being Monitored
- Is My Ex Reading My Emails?
- Using Digital Evidence in Divorce Proceedings
Free scans show top findings. Full Forensics ($179) unlocks complete analysis + PDF reports.
ForensAI is an educational tool for personal use. For legal matters requiring certified evidence or expert testimony, consult a licensed forensic examiner or attorney.
