Fastmail hacked?
 

Background:
I have 2 legacy fastmail accounts (let's call them me@fastmail.fm and wife@fastmail.fm).
I also have my own domain (mydomain.tld) that uses fastmail's DNS services.
I set an alias on my account that forwards wife@mydomain.tld to wife@fastmail.fm
and an alias on wife's account that forwards wife@eml.cc to wife@fastmail.fm

About a week ago somebody opened an ebay.co.uk account with the wife@mydomain.tld email address. Ebay support restricted it once I proved to be the owner of the email address, but claimed that creating the account required the information in the confirmation email.

There were also emails from a UK broadband provider and a UK magazine subscription site, both on that same day.

I immediately changed all the passwords on both our accounts.

I also checked the login log on both accounts, and the only IPs that accessed it were my home, my workplace and my wife's iPhone.

Today my wife saw an email from Microsoft sent to wife@eml.cc requesting to confirm the creation of a "live" account, and another email saying that the email address was changed from wife@eml.cc to tel@f-m.fm -- another fastmail address (actual, not mine)

I do not know how to explain this. Maybe fastmail had a breach or was hacked.

I opened a ticket with FM, but I am interested to know if anyone else had similar experiences or has an idea.

Thanks,
Alex.

Could be a mistake or attack - it's hard to tell
 

I have seen no problems with my three Fastmail accounts or personal domain tied to one Fastmail account. I have several thoughts about your unfortunate situation:

• Discussions with Fastmail staff are important if you believe that someone is actively attacking your account in various manners.
• But I didn't see anything in your post which indicated that the attacker actually used any information in your account. Yes, eBay requires you to use information in their email to you to set up an account, but you didn't say that the attacker had actually supplied that information to eBay. Their comments to you might not have been clear about that detail.
• One thing to be very careful about is an attacker using social engineering to fool you. For example, the attacker might spoof eBay or Microsoft or the magazine. So you might be fooled into thinking someone was trying to create a Microsoft account, but actually the attacker just wants you to click a link or do something else they put into the fake email which appears to be from Microsoft.
• Anyone can put any address into a signup form at a website. If all you see are actual confirmation messages, it might be due to a bad person or an accident by someone.
• For example, I live in Texas and have my own personal domain which involves my last name, which happens to originally be from the British Isles (several hundred years ago). On several occasions I have received emails to usernames at my personal domain which I don't use but don't block. In most cases this was due to a mistake by an individual who thought their British friend had an address of user @ lastname.org, while it was actually user @lastname.com (or some other TLD). So they accidentally sent me private emails, sometimes with personal information.
• The worst case was a university in the British Isles who had an incorrect email address for a new student. I received confidential emails from the university with personal information, such as details for creating a healthcare account and orientation meetings the new student should attend. I responded to the official at the university with no response. I then sent emails to various offices at the university and even their IT department and they would never respond. So finally I blocked that specific alias at my domain, which I wasn't using anyway.
• For some of these situations, I think that someone obtained an email address at a domain with my last name at a different TLD (.org rather than .com, for example) but then they forgot the TLD and entered my domain name when they went online to sign up for various sites.
• But you need to be very careful and look at the full headers and reputation indicators (DKIM, SPF, and DMARC authentication) to be sure that the message is truly from the From address, and that the From address is what would be expected for that specific type of message. What drives me crazy is companies who send you messages using a third-party bulk service. So the From address might be at a known domain where you have an account, but that's just a spoofed address and the servers sending the message are not associated with that known domain for authentication purposes.

Bill

Nothing much to add other than the obvious note that there is a problem when using top-level domain names (TLDs) other than .com, .net. or .org can lead to this type of issue where some organization inadvertantly (or even the person who owns the address) uses the domain name with .com without thinking. Not sure if that is part of the problem or not. My guess is some sort of phishing attempt going on.

Is your wife's iPhone the only device that's portable? Has it been out of the house in the last couple of weeks?

Are any of your devices portable?

Are you both ultra-careful to keep devices locked, if eg they're in offices or other public spaces?

Has anyone other than you & your wife been in your house?

Did you notice that the original posts were made four years ago? A new EMD member brought up this old thread with a stray comment, which is a bit suspicious. The original poster hasn't made a post here in EMD in about two years, so I doubt they are reading your comments about this old topic.

Rats! No I didn't notice - I just saw the "22 Mar" part of the date on the posts and thought - since I've not been here for a few days - that this was a new thread.

I agree about the single post from a new member - I usually regard all such posts as likely signs of a spammer.

Yes, this always rings an alarm bell for me, they usually turn out to be spammers.

The exception, of course, is one particular long-term forum member who has a penchant for resurrecting old and sometimes bizarre threads, that have absolutely no connection with the fine art of e-mail.

Yes it IS somewhat suspicious........

KeylaLewis is clearly the same person.

Didn't have much to say...

No they usually dont :(

They? The Illuminati?

I think it was intended as the modern singular use of the word "they", meaning the poster. Apparently, the use of "he" or "she" can induce rage in the person referenced if you happen to have guessed their gender incorrectly. I wish this innovation had not appeared, as it causes confusion in communications quite often.

I was kidding, given who the poster is :)

Im sorry if I caused any confusion :)