Just discoverd that emails on a certain domain (one of several domains on same account) has had about 500 emails added to the account, without my interaction.

Is there any way this can be done besides going through the cpanel platform itself - that is, by root priviledges?
I haven't run through all the pages of emails that were added but my single email account that I use with this domain - appears to have been removed? Wouldn't removal of an email account have to be done through cpanel access?

Could the host server have been hacked seperately with the names added? I have been sending emails via outlook express on my local machine however even if the password was comprised in this way it doesn't explain gaining the rights to add email names to my account.

Is there any oblgation on the part of the host to inform users when systems have been compromised (silly question - infers responsibility?)