How can my email be logged in from another city even with mfa?

[Emily92]

I just got a notification that someone logged into my email from a device I don't recognize. I checked the recent activity page and it shows a successful login from a different city, but my password is strong and unique. I have MFA enabled, so I'm confused how this could even happen.

[LarryFL]

That checks out with what I’ve seen too. MFA buys you time, but if a legit session token or cookie was stolen, the system can be in while you’re not prompted again.

[Addison_R]

I once got a similar alert. I felt a rush, then remembered I’d logged in on a borrowed laptop that one time. It reminded me to look for unfamiliar sessions, even though the password was strong.

[AbigailMT]

Maybe the city guess is off. Geolocation isn’t perfect and VPNs can flip you to weird places. Or maybe someone used a phishing prompt to grab a code, which makes the alarm feel real but the cause fuzzy.

[Frank.T]

Did you notice any new devices in the security settings or any OAuth permissions you didn’t grant?