How to determine if a cPanel user changed their password using the cPanel interface

Introduction

If a user's password was changed via cPanel, the password change action will be logged in cPanel's access log.

Procedure

Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
Search the /usr/local/cpanel/logs/session_log file for "password_change" and the cPanel username:

[root@server ~]cPs# grep "password_change" /usr/local/cpanel/logs/access_log | grep $cpusername
[20XX-01-01 00:00:00 -0000] info [security] internal PURGE $cpusername:_FCXOMrgt_kOd31I password_change

Please note that "$cpusername" must be replaced with the cPanel user's username.

This will show if a user changed their password through cPanel interface or through the API. If a user changed their password using the Linux shell, the change would not be logged in the session logs. This may instead be present in the user's /home/$cpusername/.bash_history file.