Fraudulent account set up using one of my non apple email addresses

Just a couple of points:

• A person cannot create an Apple ID without verifying a code sent to that email address, so they would need access to your email account to retrieve that code.
• Yes Temu is problematic and you can expect many phishing attempts to that email address used. I assume you did not use the same password on that site that you have used previously for another service. If so, that other service may be in jeopardy. I would also recommend to never provide TEMU any financial information.

susannah37 wrote:

This is the point that I’ve spoken to Apple about because there is no way my email address has been hacked, I can find no evidence of this. I believe they set up an account using my email address as the secondary and then swopped them round using security questions rather than email validation. This is a gaping hole in Apple’s security.

I used an Apple generated strong password for Temu.

Even setting up a secondary email address requires a validation email:

About your Apple Account email addresses - Apple Support

There is not a way to bypass this email validation, such as answering security questions. Users are instructed to just check their junk mail, resend code, or contact your email provider.

If you didn’t receive your verification or reset email - Apple Support

Glad you used a separate password for your TEMU account, I would still be wary of any financial accounts being entered.

Sorry I could not be more helpful. You may want to check if that email address has been leaked in any of the known data breaches. I understand the hesitancy of wanting to enter your email address into a site when you are already concerned about it, but this site has been used by many people for a very long time. If your email provider pops up there or any site where you happened to use the same password, then there is the answer.

https://haveibeenpwned.com

It is not unusual for an email provider to reuse an email address after the original owner closes the account. Someone may have used that email as an Apple ID before the provider reissued it to you.

The good news is that it will not be tied to your Apple ID at all, but you will not be able to access the Apple ID that uses your personal email address to make any changes.

For example, I can have an email account at me@xyz.com and create an Apple ID with it and then can close my email account with that provider and continue to use it as an Apple ID. There is no requirement that the Apple ID email address must remain active. You then request the same email at me@xyz.com from your email provider and it is now available, You won't be able to access the Apple ID that used it previously or even create your own Apple ID using that email address.

If you could access that account it would be a huge security failure. Think about it in reverse, if you changed email providers and someone scooped up your previous address and had access to your Apple ID that used it.