Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Tell HN: PayPal scam email sent to my MyFitnessPal email address
15 points by nathanaldensr on April 26, 2022 | hide | past | favorite | 6 comments
In 2018, MyFitnessPal had a data breach[1]. Just now, I got an email sent to me claiming to be a PayPal transaction with a giant Cancel the Payment button. I use Fastmail as an email provider with a unique email address for each account I sign up for. This scam email was sent to my MyFitnessPal email address. Of course, the scammers know I didn't authorize this [fake] transaction and really badly want me to click that gigantic Cancel button. Don't click it! Clicking it leads to a fake PayPal authentication screen where they will steal your credentials if you enter them.

Scam email: https://imgur.com/a/1hqQVyy

Fake PayPal authentication website: https://imgur.com/a/yqoiEXW

Oftentimes, data acquired from breaches is not used immediately. Sometimes it can take months or years for the data to be sold to criminals that then organize scams such as this one. I wanted to let HN know about this just in case anyone else has or had a MyFitnessPal account and criminals have decided to mass-email all the stolen email addresses.

[1] https://content.myfitnesspal.com/security-information/notice.html



Thanks for the heads up. I've been seeing an increase recently in more realistic and well done scam emails. I have gotten a couple convincing looking ones from PayPal in the recent past. I get around this by always going directly to the website to log in and make sure my account isn't locked or has a concerning message from their support team.


Tangent, is it possible to create on the fly email addresses on fastmail?


Not OP, but I've recently adopted that idea too. It works if you use a custom domain and set up an alias for *@<domain>. Then you can both send and receive from any addresses you come up with.


This is what I do with fastmail, I've got a couple of domains that I use for emails so I set a catchall and use serviceName@domain.tld


Yes, besides the solution which dalmo3 wrote about, there's a recent feature that doesn't rely on you providing a domain - https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...


Can you tell what domain/service the scam email originated from?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: