Can i view exact IP / location from which someone tried to sync my profile ?
So, i've just received an email that someone "signed in to my account with Firefox 18 on 2016-06-23 15:18 UTC" Can i get info which IP/location was used while doing so ? I've already changed my password, but knowing that emails come with some delay and all you need is just a few seconds to sync all your passwords id say its a pretty bad thing..
Eminye Imininingwane Yohlelo
- Citrix Online App Detector Plugin
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- Next Generation Java Plug-in 11.25.2 for Mozilla browsers
- Shockwave Flash 21.0 r0
- I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
I've called the big guys to help you. Right now, change All of your passwords Everywhere. Also, confirm your e-mail address at those sites just in case.
That's strange. The Sync system changed in 2014 when Firefox 29 was released, and Firefox 18 shouldn't be able to connect to it.
Perhaps the device did not identify itself honestly and is actually running Firefox 29 or newer.
Or perhaps this message refers to a web login?
Or... could it be a phishing message? Can you detect anything suspicious about the links in the message?
here is entire message source: x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensWQjutc4PB1BMbh5SZmWvZ70i1lWkYdt0DrxE+ovew//zUDQo9zq0ht8DBiByMVbF19w9CwT6WM4qPW0YJ3qGk2oz4i5SJeb58O8z1SneS8A= Authentication-Results: hotmail.com; spf=pass (sender IP is 220.127.116.11; identity alignment result is fail and alignment mode is relaxed) email@example.com; dkim=pass (identity alignment result is pass and alignment mode is relaxed) header.d=firefox.com; x-hmca=pass firstname.lastname@example.org X-SID-PRA: email@example.com X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: NhFq/7gR1vRwaSZwDIomdtH61ngqAz2tQIJh5cBSqeJPKy6DBE4hg8toFIO0/06SxyKCPgQSEC+QDKaxfjtVDwWUvsOg9znUXhR9JzLs9YEYsYRCS+dBe3gN6wAv9fX1NUCPiuOCtPrIZONmf/ywaj/ECqWUsyZBQt2Z5AWq9i+II9s6yv6PwbxtQHq8ylaDTzf2lh4+Be0Yj30CaLdnN9d/I1gwElLziTNmYV8qIGO9hMQNaW/5Ng== Received: from a27-83.smtp-out.us-west-2.amazonses.com ([18.104.22.168]) by COL004-MC5F23.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143); Thu, 23 Jun 2016 08:18:09 -0700 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6ujb3doj4mwbngmp2xjutilwl4zbdio3; d=firefox.com; t=1466695087; h=Date:Message-Id:From:To:Subject:Content-Type:MIME-Version; bh=4tZOI5IcIJH6KzuihozeMA2mRiGeX0f33OqP00JWvEQ=; b=U1FY935Tju9bVHueEijnMqjSI0Gv5WVCSLnTD+H4uow7hwyFf9xEv1Vt7WT3j8fN iB/twgDrYj+l1dCqvMgpg0/tVDky8udiGhHvw62kBuPhQ5Kk3iiel8Qhl7ZO5L0HQog pDelB8Fvtox0Or8OksG1x+xzOI42SaHRDoErrnkc= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx; d=amazonses.com; t=1466695087; h=Date:Message-Id:From:To:Subject:Content-Type:MIME-Version:Feedback-ID; bh=4tZOI5IcIJH6KzuihozeMA2mRiGeX0f33OqP00JWvEQ=; b=lXB7ldM2ttEo1Rekv0AapBZqJNlioSiskpkbvYDquHZS58hsFweC254htjLbmQvL Z+1ccqxI1zAHgtvJ1VYeaTNpWiiTr6E4KmPCTWw9abAbDaNk2hJfE38JOsTB0I11sgw T0zr5QV8Truu/w0aCWV90aMhu4dFUAR8PXl2ipUA= X-Mailer: Nodemailer (0.7.1; +http://github.com/andris9/nodemailer;
Date: Thu, 23 Jun 2016 15:18:07 +0000 Message-ID: <firstname.lastname@example.org> Content-Language: en X-Link: https://accounts.firefox.com/settings/change_password?email=<myemailhere> From: "Firefox Accounts" <email@example.com> To: <myemailhere> Subject: New sign-in to Firefox Content-Type: multipart/alternative;
MIME-Version: 1.0 X-SES-Outgoing: 2016.06.23-22.214.171.124 Feedback-ID: 1.us-west-2.9obwqSuHxAmNPKpejVDo3cEAmnSHOVLO3+B/64gdyXQ=:AmazonSES Return-Path: firstname.lastname@example.org X-OriginalArrivalTime: 23 Jun 2016 15:18:09.0276 (UTC) FILETIME=[73252BC0:01D1CD62]
Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable
New sign-in to Firefox
Firefox 18 2016-06-23 15:18 UTC
This is an automated email; if you didn't add a new device to your = Firefox Account, you should change your password immediately at = https://accounts.firefox.com/settings/change=5Fpassword=3Femail=3D<myemailhere>. For more information, please visit https://support.mozilla.= org/kb/im-having-problems-with-my-firefox-account
Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
<meta =="" charset="3DUTF-8=22" content="3D=22text/html;" http-equiv="3D=22Content-Type=22"> <title>Firefox Accounts</title>
New sign-in to Firefox
This is an automated email; if you did not authorize this action, = then '''=22 style=3D=22color: #0095dd; = text-decoration: none; font-family: sans-serif;=22>please change your = password. For more information, please visit Mozilla Support.
Mozilla. 331 E Evelyn Ave,=
Mountain View, CA 94041
The link looks legit. Still hard to understand that the other device identified itself as Firefox 18. ??
well, that was the reason why i've asked is there any chance to get IP/location of the device which tried to log in.. because it looks all legit to me as well...
I don't know. If you didn't already get that information in the email, it might not be publicly available. What I mean is, it might only be logged on the web server and not recorded in the account interface anywhere.
Hi Scr34mik, Firefox Accounts developer here. I'm sorry to say, it sounds like there most likely was an unauthorized access on your account - unfortunately we see these from time to time if e.g. your account password is re-used on other websites that have suffered a data breach .
I see that you've already changed your account password, which is great. If you stored other passwords in Firefox Sync, I would recommend changing those passwords as well as described in .
In terms of learning what IP accessed your account, we can dig into the server logs if you file a bug at  and let us know the email address used on the account. Since it's sensitive log information, we'll need to discuss it in a private bug rather than on the support forum.
We're also working on making such information more easily accessible, by including it in the "new sign-in" notification email directly, and by providing a simple dashboard where you can review the security history of your account. We hope to have this features shipping soon.
 https://blog.mozilla.org/services/2016/04/09/stolen-passwords-used-to-break-into-firefox-accounts/  https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_viewing-and-deleting-passwords  https://bugzilla.mozilla.org/enter_bug.cgi?product=Cloud%20Services&component=Server:%20Firefox%20Accounts
Hello rfkelly, thank you for posting an answer. I've created a new bug report with number 1283084.
Id also like to add that Mozilla need to add 2 step verification with mobile phone to each sign in to firefox sync...
We are indeed working on adding 2FA, in two stages. The first will be simply an email confirmation loop where you need to click a link to confirm each new signin to sync. Once we have that flow working well and in a backwards-compatible manner, we will move towards adding additional methods of verification such as via mobile.