Triggered Canary token

I am currently taking Nathan’s ethical hacking course and I installed a couple of the canary tokens that recommended. The same token was triggered twice tonight by different IP addresses on different times from different locations. I was not doing anything on my laptop while it happened. Can you please let me know what steps I should take now in order to prevent someone from accessing my files? After it happened I immediately put it on airplane mode.

Thanks in advance!


Hi, I have the same situation, it was on my email, while I was asleep. I don’t know what to do and have no idea if the trigger is accurate. In the end what was your solution to this situation?

So a canary token was triggered indicating someone was snooping inside your email account? Do you mind telling what type of account - gmail, yahoo, etc.?
In the memo section, does it say it was a password trap or what exactly the person snooped in?
Do you know if “Tor known exit node” is True or False?

More info can be found in Volume 4 of Nathan’s Complete Cybersecurity Course - End Point Protection. Section 7: Threat Detection and Monitoring - CanaryTokens video.

Thank you for replying my comment!
Hmmm it is my school outlook email, so the entire email is connected to my school account and it is the primary form of communication with school professors or students. Even the login is through school account.
For that canary token, I did while following the lecturer. It was one where I embedded the link inside a hyperlink that says ‘here’ and sent the email to myself. I am not sure about the exit node thing though, I’m too new in this area.

Hopefully, you received the email alert on a different email account monitored often. The alert email should tell you the source IP address of the intruder, which may help identify them and where they are located if you are interested in investigating that.

I recommend changing your password immediately. It helps to make it very long, mixing upper and lower case, including numbers and special characters. See if there is an option in your settings to log you out immediately from all devices from which you are currently logged in. Set up 2 factor authentification.

You may have an option in your account to see all devices that have recently used your account. For example, one device might mention Windows 10 device in Tampa, Florida (something like that). Look for something out of the ordinary.

Just some things to think about.

Ironically, the email alert was sent to the exact same mail box which the hacker invaded. Thus, if he has my email account, he would have seen the canarydrops alert too.

I took the IP address and did a simple internet search. I really have limited knowledge on how to track deeper. Thank you for your suggestion, I will try to track the device that used my account lately.

1 Like