Not only that I take physical security seriously, but there're no indicator that the attacker has a real access to the mailbox. Password to OVH has been changed for second time after I changed the password to the email and after I cross-checked that I keep the only active session to the mailserver. After this, even the knowledge of OTP private key won't give an access to the mailbox to attacker.