WingNews logo WingNews GitHub [2]
top | item 31174491

Tell HN: PayPal scam email sent to my MyFitnessPal email address

15 points| nathanaldensr | 3 years ago

In 2018, MyFitnessPal had a data breach[1]. Just now, I got an email sent to me claiming to be a PayPal transaction with a giant Cancel the Payment button. I use Fastmail as an email provider with a unique email address for each account I sign up for. This scam email was sent to my MyFitnessPal email address. Of course, the scammers know I didn't authorize this [fake] transaction and really badly want me to click that gigantic Cancel button. Don't click it! Clicking it leads to a fake PayPal authentication screen where they will steal your credentials if you enter them.

Scam email: https://imgur.com/a/1hqQVyy

Fake PayPal authentication website: https://imgur.com/a/yqoiEXW

Oftentimes, data acquired from breaches is not used immediately. Sometimes it can take months or years for the data to be sold to criminals that then organize scams such as this one. I wanted to let HN know about this just in case anyone else has or had a MyFitnessPal account and criminals have decided to mass-email all the stolen email addresses.

[1] https://content.myfitnesspal.com/security-information/notice.html

6 comments

order
[+] FeaturelessBug|3 years ago|reply
Thanks for the heads up. I've been seeing an increase recently in more realistic and well done scam emails. I have gotten a couple convincing looking ones from PayPal in the recent past. I get around this by always going directly to the website to log in and make sure my account isn't locked or has a concerning message from their support team.
[+] huevosabio|3 years ago|reply
Tangent, is it possible to create on the fly email addresses on fastmail?
[+] dalmo3|3 years ago|reply
Not OP, but I've recently adopted that idea too. It works if you use a custom domain and set up an alias for *@<domain>. Then you can both send and receive from any addresses you come up with.
[+] wildrhythms|3 years ago|reply
Can you tell what domain/service the scam email originated from?