Today I received an e-mail stating that my Apple accounts surname has been changed: Two characters have been added to my original surname. What I thought was a fake e-mail turns out to be valid: my surname was actually changed as I verified on my device in the iOS settings. Again, no login attempt was being reported to me and I was not asked for a 2FA code on my phone (the only Apple device I own). I could change my surname back without problems.
All accounts have 2FA via TOTP. All accounts have their own unique-randomly generated passwords. I specifically don't have SMS 2FA enabled because I know that SIM-swapping is a thing. I checked Have I Been Pwned without any results. I store all my passwords in a self-hosted Vaultwarden which is in itself 2FA protected. I use the browser extensions in Firefox and Edge as well as the Windows and iOS Bitwarden App from the respective official stores. My mails are hosted on a smaller-but-known mail provider from Switzerland (not Protonmail). The amount of e-mails I received for my domain matches the amount of e-mails that are being reported in the admin interface of the e-mail provider for that domain on that day, so I think it's unlikely that someone quickly deleted e-mails. The MX-DNS records for my domain are fine and are also protected behind 2FA.
I know the usual advice is to rotate my passwords which I will do, but I do not know which of my devices I can trust currently. The question begging me more though is: why would someone append two characters to my surname and why is nothing "happening" with my data? No financial transactions that I don't know about (I checked), no ransomware encrypted anything on my devices, I didn't lose access to any account.