I received a notification email this morning that the contact email on an account had been changed to 'h g n g g o t c h a @ gmail (minus the spaces). The email is legitimate and was sent from the server, and the address had been changed. The given account's cpanel is not logged into, and occasionally is accessed from the reseller account. The account had a secure random password. I don't find any evidence of a cpanel login or anything. I've looked through logs in /var/log, /usr/local/cpanel/logs, and /etc/apache2/logs (and domlogs) as well as the accounts logs directory. I am scouring the account looking for any changes there - where else might some evidence of how this change happened be logged? Manually changing the .contactemail file does not seem to trigger the notification...