Yep, thats the blogpost from the owner of haveibeenpwnd regarding the email OP received.

OP, it seems like you have or had malware on one or more of your devices that has been logging all of your credentials to any services you signed into on the infected devices with the email address provided in the screenshot you shared.

we’re talking about the logs created by malware running on infected machines. You know that game cheat you downloaded? Or that crack for the pirated software product? Or the video of your colleague doing something that sounded crazy but you thought you’d better download and run that executable program showing it just to be sure? That’s just a few different ways you end up with malware on your machine that then watches what you’re doing and logs it.

These logs all came from the same person and each time the poor bloke visited a website and logged in, the malware snared the URL, his email address and his password.

I would suggest running a malware scan on devices you use to log in with that email.

On a secure device, you should change the passwords for each service that you use that email with.

If 2FA is already enabled on any of these accounts, then it should be safe and I would ensure the device is not infected before changing the passwords or else the passwords will be stolen again when you sign in on the infected device.

It is likely any other accounts that were signed into on the infected device have had their credentials stolen too, you may not have those email addresses set up to receive this notification. Also you should notify anyone else who has used the infected device that their credentials were likely stolen too.

You can check if other emails have been comprised using https://haveibeenpwned.com/ and you can also check if passwords have been comprised there too.

You should be able to kind of do both through android settings

Settings -> Apps -> YourApp -> Mobile data usage -> Allow Network access and Mobile Data

For VPN you’ll need to add a VPN and then Settings -> Network and Internet -> VPN -> YourVPN -> Always on VPN and Block Connections without VPN. This blocks all apps. There is 2 issues with this though, Blocking connections will block split tunneling connections set up through VPNs and also potentially this depending on the apps you’re using https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

https://www.businessinsider.com/mark-zuckerberg-facebook-execs-decrypt-rival-apps-usage-snap-youtube-2024-3

This is a ‘man-in-the-middle approach,’" the email said.

Yep, this article has more details about it

https://github.com/mozilla-mobile/fenix/issues/417 it was requested back in 2019 for Firefox and is listed as a known issue on Mull https://divestos.org/pages/broken#mull it seems like Mozilla has no interest in implementing it. If you’re rooted you should be able to access the file though

For android, Google uses Firebase Cloud Messaging, basically a server that pings the phone when a notification for an app is available, which wakes the app up to receive the notification. There are alternatives but they need to be adopted by app devs for them to work.

For people running a degoogled android, they’ll notice most apps won’t receive any notifications until they open the apps since most apps rely on Google Play Services to receive a ping from FCM.

I don’t have any google play services so most of my apps don’t give me push notifications but I do have WhatsApp installed and that still receives notifications, they’re sometimes delayed by a few minutes which makes me think Meta have their own implementation/alternative to FCM but I’m not sure.

For Signal, their servers tell Googles FCM servers that you have notifications waiting on Signals servers and to wake up your Signal app so it can communicate with Signals servers to receive your messages.

WhatsApp and Signal claim/have end-end encryption on their messages but that shouldn’t matter when specifically looking at Googles FCM servers so, at most it would be meta data that could be obtained from the FCM servers.

https://jami.net/unifiedpush/ has a pretty basic explanation of push notifications on android and also showcases an alternative to FCM https://unifiedpush.org/ which has a nice little diagram about push notifications on android. Unfortunately, Unifiedpush is not widely adopted by many applications.

So there are ways to avoid Googles FCM servers on android using Unifiedpush or always having the application on in the background but for the most part FCM is used.