For the last week or so, I've had a bunch of "Delivery to the following recipient failed permanently:" emails, for email that was apparently sent from my gmail account - I assumed that someone started using my return address for their spam. At about that time, gmail asked me to sign in with a CAPTCHA - I assumed that google had just added that.
I use an older (faster) version of gmail on my (slower) netbook, which doesn't have the "account activity" link. After reading this article, I switched versions and checked: 6 days ago, there was an alert about an access from China with this IP: 116.30.36.239
The emails in question have stopped for the last couple of days. It seems that google automatically detected and solved the problem, without me even being aware of it. Good google.
Did you check your 'sent' folder, by any chance? If there are copies of the emails there, then most likely they simply accessed your account directly with your password - which is much more concerning (albeit easy to fix by changing all your passwords)
Whoa, thanks, I should thought of that! They sent one on the day of the access (10 June).
There are 17 other potential ones, but I had moved them to my spam folder, so I can't tell where they came from originally. Looking closer, the first email in each chain seems to come from my account, but they are spread over several days, not just the day of the access.
Unfortunately, they could have potentially accessed any other services whose "forgotten password" emails go to this one, and then deleted the replies. But it looks like an automated spam attack.
When I realized today, I now logged out all other users (there didn't seem to be any) and changed my password. Maybe I should check all my linked accounts.
EDIT The header of their email has:
Received: from PC-201004061503 ([116.30.36.239])
Where that IP is the hacker's IP. Comparing with mail I've sent, the Received line includes my IP and "with HTTP". So it looks like they weren't using the web interface, but some direct one (IMAP? POP3?). If they're a spammer, it would be automated. BTW their emails all had the same content, most of them with the subject " 请在这里编辑主题...", which I'm guessing is "buy viagra" in Chinese.
The alert mechanism looks for successful logins, not spam seen in the wild with his account as the sender, so yes, someone has definitely accessed his account...
That's happened to me several times. In my case I'm sure it was spamming (nothing sent, no account access other than my own, for an account with a single word name).
I use an older (faster) version of gmail on my (slower) netbook, which doesn't have the "account activity" link. After reading this article, I switched versions and checked: 6 days ago, there was an alert about an access from China with this IP: 116.30.36.239
The emails in question have stopped for the last couple of days. It seems that google automatically detected and solved the problem, without me even being aware of it. Good google.