Hmmm..... I just got this email today, Big question for me is how did they identify this for my account?

Logging in from an unusual IP address range perhaps?

RunningMan:

 

Logging in from an unusual IP address range perhaps?

 

Would use of a VPN be considered unusual?

A bit more detail, the email from them contained an account number that started with 38xxxxxx, I emailed back asking how they identified the suspicious activity -  their reply email quoted a totally different account number in the subject line 27xxxxxxx and my actual account number starts with 22xxxxxx (from my bill), something strange is going on with 2D when they can't correctly associate account numbers with email addresses.

Not one different IP for one account but if you see multiple accounts being accessed from one IP or a small range of IP addresses, in very short time, then alarms should ring.

I don't think we will know how they identified these, because it is easy to learn how to do it if you know how they found out.

I'm not a 2Degrees customer.  Do they support any sort of sensible 2FA (TOTP at least, if not FIDO2)?  If they don't then they would, IMO, deserve a little bit of blame for not allowing customers to have that extra layer of protection.