I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine. Luckily, my "security question" was still the same, so I was able to reset the password and email address back.
Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
To which Apple reacted by doing the only reasonable thing – saying Sir, Yes Sir! and handing my account over. Here's the email I just sent Apple:
Dear ADC,
You have reset my password based on a request by someone other than me. Rather than checking if the requester was actually me by comparing the information in their personal profile, you have allowed a third party access my Apple ID for no reason whatsoever.
I tried to log in today and saw that my password had been changed, and the email address associated with my account changed to "marko.[redacted]@yahoo.com".
Apparently based on a single-line email inquiry, you have allowed a third party access to:
- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I've synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program's Program Portal, including details of our development teamFrankly, this makes me so angry that I can't see straight. Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?
Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?
With best regards,
Marko Karppinen
Update: A few hours after posting this, a team lead from Apple Developer Connection's European support organization called me, apologized for the mess, and assured me that they don't normally operate this way. He promised to find out if Apple can determine, based on their logs, where and how my Apple ID was used in between the password reset and myself discovering all this about 12 hours later. I know that my .Mac mail was accessed, but luckily I don't use it for anything other than ADC-related communications. In fact, I'd be home free if it wasn't for .Mac Sync and some old, unencrypted backups on my iDisk (I've since then smartened up and my backups are now encrypted). I hope the logs will allow Apple to confirm that these services were not accessed by the third party.
Update 2: So it's soon 48 hours after the password reset, but no further contact from Apple. Perhaps I should let them know that, so far, 65 000 people have seen this and many might be wondering how Apple will end up handling the case?
Update 3: How Apple replied to the password reset request and other clarifications.
Unbelievable! I've seen this posted to Digg, delicious, and reddit. I don't know the appropriate Apple forums.
I hope you post their response. My wife has .mac, and I'd hate for this to happen to her.
It's amazing that someone can bypass all security procedures of a popular and trusted system like Apple .mac with this poor social engineering attack...
I hope you will restore confidentiality of your data soon.
It sounds like quite a blunder. However, I wanted to point out that the keychain items are all encrypted just as they would be if someone gained access to your own computer. So even with access to your .mac account, no one can gain access to the keychain items without that password. It doesn't excuse Apple’s blunder, but it does mean the most damaging security breech is kept under wraps.
I think I'm going to try to compromise my friends .Mac just to see if I can.
I once had my Apple ID locked, which made logging in to authorize my iTunes tracks quite difficult.
After some inquiry, I discovered the reason it was locked is because there were too many failed attempts against it. Strangely, this lock didn't preclude me from access my .mac email, just from logging into iTunes.
A password reset later and I was fine, but that's a pretty obnoxious reason to completely lock down an account.
This really doesn't make a lot of sense. In order to send a password reset request, you either need to give birthdate information and the answer to the security question, or if you didn't know that, you would have to supply the web order number, activation key, etc in a form...
What I don't understand is how this random "email" request would even arrive at the person who can possibly reset .Mac passwords, and then successfully do so.
What email address did he send to?
Matthew, apparently the person used the web form at http://developer.apple.com/contact/ to request the password reset.
Wow... you would think you would have at least gotten a notice in email of the change, and maybe even needed to confirm it. Its scary that the amount and importance of the data we have online is increasing exponentially while the ability to protect it is not. Not to bash Apple but their core competency is not security, its making cool products.
Hope everything turns out well for you and maybe Apple learns a lesson.
Hate to say this but I sure am glad I gave up .Mac a while ago. I am really disturbed to hear that this insane thing could even happen. Best of luck!
How are you seeing these emails that show what the person asked? Also, your ADC acount is only tied to your AppleID, there's no way for ADC to reset it. The only way to reset your AppleID is to reset it through iforgot.apple.com. It seems much more likely that someone guessed your security information and reset it there.
kraken08, apparently the person used the web form at http://developer.apple.com/contact/ to request the password reset. He entered my Apple ID in the email field, which is why I got the copy of Apple's response in my .Mac mailbox. The temporary (reset) password went to the yahoo.com address.
As you see from the form I linked to, there is a subject option of "Reset password". ADC support does have the ability to reset Apple ID passwords.
Hi Marko,
This is an old problem, I have suffered it myself and believe it was the route through which I had a credit card number stolen some months ago; I work in security and use my card rarely online, and suffered a debit to the card a few days after the password to my AppleID was stolen.
My theory is that either they got the number from Apple, or they used the Apple information to fill-in gaps in informaiton from elsewhere.
I wrote my experiences up at http://www.crypticide.com/dropsafe/article/1875 and http://www.crypticide.com/dropsafe/article/2087 (including a pointer on how to protect yourself from this) - and posted in the first URL a walk-through of the password recovery problem.
If Apple are going to MobileMe off the same system, it would make sense to beef this security up...
- alec
The link you gave doesn't show that ADC support has "power" to reset Apple ID passwords. It only shows that one can use the contact box to request the password be reset. I believe you (or someone pretending to be you) would still need to reset it yourself.
I agree with Kraken08 anyone trying to change your Apple ID would have to have gone through iforgot.apple or as Matthew Yohe points out give detailed account info. Which means that somebody would have had to have your at least some of your personal info before this happened. In the habit of posting your birthdate around? Perhaps your security question was far too easy to guess the answer to?
And what do you mean the email associated with your account was changed to the yahoo address? The only email address would be your apple id wouldn't it?
bleu_heavens, I have posted a new entry with the actual Apple response to the password change request. I didn't think it necessary at first, but clearly a lot of people wanted further clarification about the incident.
But to answer your direct questions, an Apple ID can specify an email address other than the .Mac mailbox. If one is specified, that's where the password reset emails will go to. As to my security question and answer, it's an arbitrary challenge/response pair that nobody would guess.
2 years late on this thread, but the same thing just happened to me. What I really don't get is that I never received any type of confirmation email from Apple when they changed my email address to their new account. Every major site I use does this, but not Apple, and it's really disturbing.
just google it.
a lot of password recovery tool support Windows OS.
http://password-genius.com
I think apple should have a better online technical support because if they will not fix simple issues like this one, it will affect their credibility.