So quick recap. I got an email saying a new iphone 5 has logged in to my imessage account. Problem is, I don't own an iphone, I don't know what imessage is, and the email in the salutation isn't mine. The account has someone else's name and contact information, someone from Finland, but MY EMAIL ADDRESS as the verified account.
I've gone through the find my apple id, and all the info is right when I log in that way, using MY EMAIL ADDRESS for the recovery. When I log in with the apple id it emailed me, I get my stuff in English. When I use my email address as the apple id, nothing is right.
So after I got home, I did some more digging. I found out how to at least "disable" the account even though I couldn't permanently delete it.
Going through itunes, yes I had to install it, I could see that person's information. Not all of it, but some of it. Name, address etc. Same stuff I could see via the apple site.
More checking between the two accounts, I note that my email apple ID is verified, my other one is not. But both accounts have the same email address. Ok, I'll verify it on the account where everything is in English. Only the site won't let me. It's already been verified elsewhere and in use.
The best I can figure out, Apple is using email addresses as their primary keys for the accounts now. Something they were not doing when I first signed up in 2005. Since I first signed up they are verifying accounts as well. Once verified that becomes another account key, secondary, or primary in a second table. The problem is, someone not me was able to get my address listed as their verified address and their account.
I ended up un-associated MY ADDRESS With the account, and sent it off in to never land. I hope they have good luck getting their information and account back. I've verified my email address, and have now set it as my account name, with a 30 character password. I'd turn on two factor auth, but I don't own an apple device and that's required.
So the short version of the story. Someone got their Apple account associated with my email address. Claimed my address as their own and got it verified somehow. I got a notification when they used a new phone to log in to the account. Took control of the account, because they had used my email address, de-associated the account with my email address, and then made sure that my account was verified with my email address.