Fraudulent order on my account
A warning and asking if this is happening to anyone else. On Tuesday, 8/29/17, I received a phone call from Apple, phone number 512-674-2000, asking me to confirm my order of a MacBook Pro. The caller read out my Apple ID and the last four digits of my credit card number. I told him I had not ordered the MacBook. He said he was cancelling the order and recommended I change password and cancel the credit card. I asked him what about the order had indicated that it might be fraudulent but he wouldn't say. I confirmed on my bank app that there was a charge from Apple Store for over $2,500. I did change my password right away and canceled the credit card. When I later checked the Gmail account used with my Apple account, I found an acknowledgement email for the Apple order. And I was being flooded with hundreds of messages saying that I had subscribed to a wide variety of mailing lists and retail web sites and Wordpress sites. The flood has slowed but still continues several days later. No other suspicious activity on my credit card account. I have two-factor authentication turned on. My Apple account is not shared with anyone else. At all times, my phone and my iPad have been in my possession.
Then last night I received an email saying that I had changed my billing address. I had not changed it. I went to my Apple account and there was no apparent change. I changed the password again.
Every time I changed my password, the two-factor authentication was activated and worked as intended. How did these people place this order without triggering the two-factor authentication? What's the point of all the email subscriptions? It just seems to be calling attention to the fact that I'm the target of a hack. And what's the explanation for the address change notice? Presumably, the hackers want the MacBook delivered to them and not to my home. But how are they getting into my account with triggering a warning to my other devices?