How to Tell If Your iCloud Mail Has Been Compromised

Warning Signs Your iCloud Mail Is Compromised

• Apple sends you a notification that your Apple ID was used to sign in on a new device
• You receive an email about Apple ID changes you didn't make (password, email, phone)
• Your Apple ID password no longer works
• You see emails in your iCloud Sent folder that you didn't write
• Unfamiliar devices appear in your Apple ID device list
• You receive two-factor authentication codes you didn't request
• Your iCloud storage is being used by backups from devices you don't own
• Find My shows a device location you don't recognize

How to Check for Unauthorized Access

1. Review Devices on Your Apple ID

On your iPhone/iPad, go to Settings → [Your Name] and scroll down to see all devices signed in with your Apple ID. On a Mac, go to System Settings → Apple ID. On the web, visit appleid.apple.com and check the Devices section. Remove any device you don't recognize.

2. Check Apple ID Account Page

Sign in at appleid.apple.com and review your personal information, security settings, and payment methods. Verify your trusted phone numbers, email addresses, and recovery key settings haven't been tampered with.

3. Check iCloud Mail Rules

Log into icloud.com/mail, go to Settings (gear icon) → Rules. Check for any forwarding or filtering rules you didn't create that could be sending copies of your emails to an attacker.

4. Review App-Specific Passwords

At appleid.apple.com → Sign-In and Security → App-Specific Passwords, review all generated passwords. If you see passwords for apps you don't use, an attacker may have created them to bypass two-factor authentication.