When Two-Factor Authentication Is Not Enough
This is why this email was such a surprise. Like the poor quality mailing lists mentioned above, it didn’t require a confirmed opt-in. We had to reply to say that we didn’t want the contact email address changed.
This means that a forged source address was sufficient. Even though the attacker couldn’t read email to hostmaster@fastmail.fm, they didn’t need to. All they needed was for us to not read it.
To Gandi’s credit, they responded very quickly to our “NO, DON’T CHANGE IT” email, and locked our account to stop any further shenanigans while they investigated and collected more documents from us.