Fastmail hacked?

ao1 · 22 Mar 2018, 09:28 AM

Background:
I have 2 legacy fastmail accounts (let's call them me@fastmail.fm and wife@fastmail.fm).
I also have my own domain (mydomain.tld) that uses fastmail's DNS services.
I set an alias on my account that forwards wife@mydomain.tld to wife@fastmail.fm
and an alias on wife's account that forwards wife@eml.cc to wife@fastmail.fm

About a week ago somebody opened an ebay.co.uk account with the wife@mydomain.tld email address. Ebay support restricted it once I proved to be the owner of the email address, but claimed that creating the account required the information in the confirmation email.

There were also emails from a UK broadband provider and a UK magazine subscription site, both on that same day.

I immediately changed all the passwords on both our accounts.

I also checked the login log on both accounts, and the only IPs that accessed it were my home, my workplace and my wife's iPhone.

Today my wife saw an email from Microsoft sent to wife@eml.cc requesting to confirm the creation of a "live" account, and another email saying that the email address was changed from wife@eml.cc to tel@f-m.fm -- another fastmail address (actual, not mine)

I do not know how to explain this. Maybe fastmail had a breach or was hacked.

I opened a ticket with FM, but I am interested to know if anyone else had similar experiences or has an idea.

Thanks,
Alex.

n5bb · 24 Mar 2018, 10:57 AM

I have seen no problems with my three Fastmail accounts or personal domain tied to one Fastmail account. I have several thoughts about your unfortunate situation:

Discussions with Fastmail staff are important if you believe that someone is actively attacking your account in various manners.
But I didn't see anything in your post which indicated that the attacker actually used any information in your account. Yes, eBay requires you to use information in their email to you to set up an account, but you didn't say that the attacker had actually supplied that information to eBay. Their comments to you might not have been clear about that detail.
One thing to be very careful about is an attacker using social engineering to fool you. For example, the attacker might spoof eBay or Microsoft or the magazine. So you might be fooled into thinking someone was trying to create a Microsoft account, but actually the attacker just wants you to click a link or do something else they put into the fake email which appears to be from Microsoft.
Anyone can put any address into a signup form at a website. If all you see are actual confirmation messages, it might be due to a bad person or an accident by someone.
For example, I live in Texas and have my own personal domain which involves my last name, which happens to originally be from the British Isles (several hundred years ago). On several occasions I have received emails to usernames at my personal domain which I don't use but don't block. In most cases this was due to a mistake by an individual who thought their British friend had an address of user @ lastname.org, while it was actually user @lastname.com (or some other TLD). So they accidentally sent me private emails, sometimes with personal information.
The worst case was a university in the British Isles who had an incorrect email address for a new student. I received confidential emails from the university with personal information, such as details for creating a healthcare account and orientation meetings the new student should attend. I responded to the official at the university with no response. I then sent emails to various offices at the university and even their IT department and they would never respond. So finally I blocked that specific alias at my domain, which I wasn't using anyway.
For some of these situations, I think that someone obtained an email address at a domain with my last name at a different TLD (.org rather than .com, for example) but then they forgot the TLD and entered my domain name when they went online to sign up for various sites.
But you need to be very careful and look at the full headers and reputation indicators (DKIM, SPF, and DMARC authentication) to be sure that the message is truly from the From address, and that the From address is what would be expected for that specific type of message. What drives me crazy is companies who send you messages using a third-party bulk service. So the From address might be at a known domain where you have an account, but that's just a spoofed address and the servers sending the message are not associated with that known domain for authentication purposes.

Bill

TenFour · 25 Mar 2018, 05:37 AM

Nothing much to add other than the obvious note that there is a problem when using top-level domain names (TLDs) other than .com, .net. or .org can lead to this type of issue where some organization inadvertantly (or even the person who owns the address) uses the domain name with .com without thinking. Not sure if that is part of the problem or not. My guess is some sort of phishing attempt going on.

JeremyNicoll · 23 Mar 2022, 09:56 AM

Quote:

Originally Posted by ao1

I also checked the login log on both accounts, and the only IPs that accessed it were my home, my workplace and my wife's iPhone.

Is your wife's iPhone the only device that's portable? Has it been out of the house in the last couple of weeks?

Are any of your devices portable?

Are you both ultra-careful to keep devices locked, if eg they're in offices or other public spaces?

Has anyone other than you & your wife been in your house?

n5bb · 23 Mar 2022, 10:08 AM

Quote:

Originally Posted by JeremyNicoll

Is your wife's iPhone the only device that's portable?...

Did you notice that the original posts were made four years ago? A new EMD member brought up this old thread with a stray comment, which is a bit suspicious. The original poster hasn't made a post here in EMD in about two years, so I doubt they are reading your comments about this old topic.

JeremyNicoll · 23 Mar 2022, 11:07 AM

Quote:

Originally Posted by n5bb

Did you notice that the original posts were made four years ago? A new EMD member brought up this old thread with a stray comment, which is a bit suspicious. The original poster hasn't made a post here in EMD in about two years, so I doubt they are reading your comments about this old topic.

Rats! No I didn't notice - I just saw the "22 Mar" part of the date on the posts and thought - since I've not been here for a few days - that this was a new thread.

I agree about the single post from a new member - I usually regard all such posts as likely signs of a spammer.

FredOnline · 23 Mar 2022, 03:17 PM

Quote:

Originally Posted by n5bb

Did you notice that the original posts were made four years ago? A new EMD member brought up this old thread with a stray comment, which is a bit suspicious.

Yes, this always rings an alarm bell for me, they usually turn out to be spammers.

The exception, of course, is one particular long-term forum member who has a penchant for resurrecting old and sometimes bizarre threads, that have absolutely no connection with the fine art of e-mail.

Bamb0 · 20 Jul 2022, 07:35 AM

Quote:

Originally posted by n5bb
Did you notice that the original posts were made four years ago? A new EMD member brought up this old thread with a stray comment, which is a bit suspicious.

Yes it IS somewhat suspicious........

SideshowBob · 21 Jul 2022, 08:07 AM

KeylaLewis is clearly the same person.

ao1 · 26 Jul 2022, 05:40 AM

Quote:

Originally Posted by n5bb

The original poster hasn't made a post here in EMD in about two years, so I doubt they are reading your comments about this old topic.

Didn't have much to say...

Bamb0 · 26 Jul 2022, 08:22 AM

No they usually dont

ao1 · 26 Jul 2022, 12:25 PM

Quote:

Originally Posted by Bamb0

No they usually dont

They? The Illuminati?

BritTim · 26 Jul 2022, 02:01 PM

Quote:

Originally Posted by ao1

They? The Illuminati?

I think it was intended as the modern singular use of the word "they", meaning the poster. Apparently, the use of "he" or "she" can induce rage in the person referenced if you happen to have guessed their gender incorrectly. I wish this innovation had not appeared, as it causes confusion in communications quite often.

ao1 · 26 Jul 2022, 02:15 PM

Quote:

Originally Posted by BritTim

I think it was intended as the modern singular use of the word "they", meaning the poster. Apparently, the use of "he" or "she" can induce rage in the person referenced if you happen to have guessed their gender incorrectly. I wish this innovation had not appeared, as it causes confusion in communications quite often.

I was kidding, given who the poster is

Bamb0 · 26 Jul 2022, 08:48 PM

Im sorry if I caused any confusion

22 Mar 2018, 09:28 AM	#1
ao1 Essential Contributor Join Date: Oct 2003 Posts: 327	Fastmail hacked? Background: I have 2 legacy fastmail accounts (let's call them me@fastmail.fm and wife@fastmail.fm). I also have my own domain (mydomain.tld) that uses fastmail's DNS services. I set an alias on my account that forwards wife@mydomain.tld to wife@fastmail.fm and an alias on wife's account that forwards wife@eml.cc to wife@fastmail.fm About a week ago somebody opened an ebay.co.uk account with the wife@mydomain.tld email address. Ebay support restricted it once I proved to be the owner of the email address, but claimed that creating the account required the information in the confirmation email. There were also emails from a UK broadband provider and a UK magazine subscription site, both on that same day. I immediately changed all the passwords on both our accounts. I also checked the login log on both accounts, and the only IPs that accessed it were my home, my workplace and my wife's iPhone. Today my wife saw an email from Microsoft sent to wife@eml.cc requesting to confirm the creation of a "live" account, and another email saying that the email address was changed from wife@eml.cc to tel@f-m.fm -- another fastmail address (actual, not mine) I do not know how to explain this. Maybe fastmail had a breach or was hacked. I opened a ticket with FM, but I am interested to know if anyone else had similar experiences or has an idea. Thanks, Alex.

24 Mar 2018, 10:57 AM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	Could be a mistake or attack - it's hard to tell I have seen no problems with my three Fastmail accounts or personal domain tied to one Fastmail account. I have several thoughts about your unfortunate situation: Discussions with Fastmail staff are important if you believe that someone is actively attacking your account in various manners. But I didn't see anything in your post which indicated that the attacker actually used any information in your account. Yes, eBay requires you to use information in their email to you to set up an account, but you didn't say that the attacker had actually supplied that information to eBay. Their comments to you might not have been clear about that detail. One thing to be very careful about is an attacker using social engineering to fool you. For example, the attacker might spoof eBay or Microsoft or the magazine. So you might be fooled into thinking someone was trying to create a Microsoft account, but actually the attacker just wants you to click a link or do something else they put into the fake email which appears to be from Microsoft. Anyone can put any address into a signup form at a website. If all you see are actual confirmation messages, it might be due to a bad person or an accident by someone. For example, I live in Texas and have my own personal domain which involves my last name, which happens to originally be from the British Isles (several hundred years ago). On several occasions I have received emails to usernames at my personal domain which I don't use but don't block. In most cases this was due to a mistake by an individual who thought their British friend had an address of user @ lastname.org, while it was actually user @lastname.com (or some other TLD). So they accidentally sent me private emails, sometimes with personal information. The worst case was a university in the British Isles who had an incorrect email address for a new student. I received confidential emails from the university with personal information, such as details for creating a healthcare account and orientation meetings the new student should attend. I responded to the official at the university with no response. I then sent emails to various offices at the university and even their IT department and they would never respond. So finally I blocked that specific alias at my domain, which I wasn't using anyway. For some of these situations, I think that someone obtained an email address at a domain with my last name at a different TLD (.org rather than .com, for example) but then they forgot the TLD and entered my domain name when they went online to sign up for various sites. But you need to be very careful and look at the full headers and reputation indicators (DKIM, SPF, and DMARC authentication) to be sure that the message is truly from the From address, and that the From address is what would be expected for that specific type of message. What drives me crazy is companies who send you messages using a third-party bulk service. So the From address might be at a known domain where you have an account, but that's just a spoofed address and the servers sending the message are not associated with that known domain for authentication purposes. Bill

25 Mar 2018, 05:37 AM	#3
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,722	Nothing much to add other than the obvious note that there is a problem when using top-level domain names (TLDs) other than .com, .net. or .org can lead to this type of issue where some organization inadvertantly (or even the person who owns the address) uses the domain name with .com without thinking. Not sure if that is part of the problem or not. My guess is some sort of phishing attempt going on.

21 Jul 2022, 08:07 AM	#9
SideshowBob Essential Contributor Join Date: Jan 2017 Posts: 278	KeylaLewis is clearly the same person.

26 Jul 2022, 08:22 AM	#11
Bamb0 Master of the @ Join Date: Feb 2005 Location: USA Posts: 1,871	No they usually dont

26 Jul 2022, 08:48 PM	#15
Bamb0 Master of the @ Join Date: Feb 2005 Location: USA Posts: 1,871	Im sorry if I caused any confusion