1. your company owns example.com
2. someone signs up to supabase with alice@example.com
3. you receive the confirmation email somehow (which probably isn't important)
a. either the email address is valid,
b. it is delivered some catch-all mailbox
4. you email supabase support notifying them that someone is signing up with an address that your company controls
Is that right? If so, I don't think this is some kind of vital security event. The confirmation email won't be delivered to the purported bad actor, so the account won't verify.
It really depends what's being done with their services during the trial period by someone claiming to be example.com!
(I have no way to know what's possible, or what the spoof accounts are doing - I've never registered with them! Just trying to give a courtesy heads up so they can take a look at bad actors on their platform...)
You can't use the services until you confirm the account via email. When you sign up, you provide and email address, and the you're presented with this:
"You've successfully signed up. Please check your email to confirm your account before signing in to the Supabase dashboard. The confirmation link expires in 10 minutes."
If you attempt to sign in before verifying, you'll see:
"Account has not been verified, please check the link sent to your email"
So nothing is going to happen. This is probably a bot probing for accounts. The system is operating as intended. No cause for concern.
----
One more bit: when you receive the initial account email, you'll find a note at the bottom confirming the intention:
"If you didn't request for this, you can safely ignore this email."
