History / log of password change for an email account ?

Markif

Member
Nov 9, 2016
14
0
76
Toulouse
cPanel Access Level
Root Administrator
Hello

Is there a log of password changes for an email box somewhere?

Use case: A consumer claims their password has been changed (but probably got it wrong), but how do you verify or prove that they haven't? Or how to tell him - if it is the case - on what date / time it happened and which user was in session from which IP.
Of course, it's not about knowing the new password, but just finding a trace of a change.

Thanks for your help
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
The cPanel access logs would have logs for any access made to a cPanel service including password changes. It stores this information in GET and POST requests and may not always indicate that the action taken was a password change though. You can find the access logs at /usr/local/cpanel/logs/access_log
 

kodeslogic

Well-Known Member
Apr 26, 2020
87
27
93
IN
cPanel Access Level
Root Administrator
@Markif

When you see below lines together with one after another in /usr/local/cpanel/logs/access_log there is most chances that for some email account of cPanel user "UserAccount" password modification was done.

Code:
xx.xx.x.xxx - UserAccount [08/28/2020:00:01:05 -0000] "POST /cpsess6183611895/backend/passwordstrength.cgi HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/enable_mailbox_autocreate HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/passwd_pop HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
xx.xx.x.xxx - UserAccount [08/28/2020:00:02:08 -0000] "POST /cpsess6183611895/execute/Email/list_pops_with_disk HTTP/1.1" 200 0 "https://hostname:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "s" "-" 2083
 
Last edited:
  • Like
Reactions: cPanelLauren