I received a notification last night that someone changed my shipping address on Macys.com and when I visited the website, there was an open order for a PS5 with delivery to:

DONT IEPN 203 W PITTSBURGH AVE WILDWOOD CREST NJ 08260

After logging into Macy’s I got 43 emails at once to seven different services like “Excalidraw” and “Sportograf” trying to login using a magic link.

At this point was was pretty nervous so I checked my main email security. Sure enough, there have been repeated login attempts under my account going on every few minutes for weeks.

I also saw there was an attempted login to my cellphone or home internet company.

I use 2FA, authenticators, etc. Basically what else should I be doing? Is there any way to be more preventative? I really don’t wanna chuck this email but it is possible that may be the safest recourse. I do use this email for almost 300 different accounts to various things though.

  • protist@mander.xyz
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    3 months ago

    I use 2FA, authenticators, etc.

    If this is the case, how did you not know these login attempts were happening? Shouldn’t you get a ping when a login is attempted and can decline it if it’s unauthorized?

    • Gointhefridge@lemm.eeOP
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      I viewed the recent activity in my account. I did not receive any notifications of failed logins in the last 8 weeks its been going on. I assume because I use 2FA and the password is just wrong it doesn’t bother cause of the frequency it happens.

      • protist@mander.xyz
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        You are correct, my bad. Seems like you can have some confidence that your email is secure, at least

    • communism@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      If you use something like Aegis (which works offline) you just decrypt your database every time you want to log in and copy the 2FA code from the app. It doesn’t ping you because it generates codes offline, i.e. it’s not connected to whatever service you’re using 2FA with.