Probably not, but…
Delivery has failed to these recipients or groups:
fo3mYnOuj2E1HXM@google.com
The format of the email address isn’t correct. A correct address looks like this: someone@example.com. Please check the recipient’s email address and try to resend the message.
Does this mean I’ve been hacked? I changed my Google password after the second one but this arrived today.
It’s extremely unlikely that you’ve been hacked.
What you’re seeing, believe it or not, is just run-of-the-mill spam. You can safely ignore it and/or mark it as spam.
Let me explain what I think is happening.
Become a Patron of Ask Leo! and go ad-free!
Unexpected bounces
Spammers use your email address, so error messages bounce back to you even though you’re not the one who pressed Send. It’s a spam thing called from spoofing, and it doesn’t mean you’ve been hacked. Just mark spam as spam, keep a strong password, add two-factor authorization, and relax. There’s nothing else you can do.
Mail you didn’t send
Spammers often use a technique called from spoofing to send email that looks like it came from someone it did not come from. It’s easy to craft an email with a fake “From:” address.
From: Ask Leo! <leo@askleo.com>
To: you@youremailprovider
Subject: Dear Valid Shortlisted Beneficiary, You Have Money!
…
That made-up example looks like it came from me — except I had nothing at all to do with it. Nothing. My account was not hacked. My account wasn’t even involved. My email provider was not involved. I was not involved.
A spammer can just fake it.
And there’s nothing you or I can do about it.1
Related
Someone’s Sending From My Email Address! How Do I Stop Them?
Email spoofing is rampant. Spammers can send email that looks like it came from you, and there's little that you can do about it.#1887
Bounces to mail you didn’t send
So when spammers send email that looks like it came from you to email addresses that are invalid, guess who gets the bounce message?
You do.
You didn’t send the message, but you get the bounce. It’s annoying. But again, there’s nothing you can do about it.
Why would they send spam to invalid email addresses?
It does raise the question: why are spammers sending to bad email addresses?
I have two theories.
One is that they’re using a shotgun approach. They don’t have a list of known good email addresses to work from, so they’re just making up email addresses and sending out messages. Particularly on a large service like Gmail, <something>@gmail.com is likely to work often enough if you keep guessing millions and millions of possible “<something>”. And each guess costs the spammer nothing. Some will work, some will fail. Some will bounce. Some will bounce to you.
The other is that they’re trying to reach you. You did get the bounce, and the bounce message came from Gmail. Email from the Gmail system is less likely to be filtered as spam, so it stands a higher chance of getting to you. Your curiosity might be piqued, and you might look at the original message — the spam. And you might even act on it, which is the goal.
Of the two, my money’s on the first one. And, of course, there could be other possibilities.
The tiny chance
There’s a tiny chance your account has been compromised and the spammer is sending spam from it directly. I say tiny because generally there would be other signs of compromise: messages in your sent folder, notifications that you signed in somewhere, and more.
Changing your password is great. Adding two-factor authentication virtually eliminates this as a possibility.
And, of course, if it continues after a password change, it’s even more unlikely that your account was involved at all.
Do this
Mark spam as spam and move on.
Seriously, there’s nothing at all you can do about this, as annoying as it is. There’s no need to worry. Keep your account secure, of course, and use two-factor authentication if available, but beyond that, mark spam as spam.
If you’d like actual email from me, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Technically, setting up spam-fighting techniques like SPF, DKIM, and DMARC should reduce that email’s ability to make it to your inbox, but it does nothing to prevent the spammer from trying.
I would recommend using a suitable password and enabling a 2FA (FIDO2) key from Yubico to ensure that no one can access your Google Workspace account. There are other ways to block email “spoofing,” which may not be routinely used by “consumer” email accounts at Google. But if your Google Workspace account is used for your business or professional purposes, you should also implement SPF, DKIM, and DMARC records in your DNS zone file. There are several services that can assist you in setting this up, as it can be somewhat complex. I use my paid MXToolbox account for this purpose.