This article originally appeared in TidBITS on 2012-05-02 at 12:26 p.m.
The permanent URL for this article is: http://tidbits.com/article/12977
Include images: Off

Apple ID Horror Story

by Chris Owen

[Adam here. Chris Owen sent me this tale of woe as evidence that there are issues with the iTunes account security changes that I wrote about in “Apple Extends iTunes Account Security, Confuses Users [1]” (26 April 2012). What I find more perturbing, though, is that Apple IDs have become far more important than in the past, thanks to iCloud’s deep integration with Mac OS X for essential data like email, events, and contacts. Obviously, Apple has a vested interest in making sure iCloud services work properly, but since they’re largely provided for free (with payments only for iTunes Match and additional storage), Apple isn’t offering easily accessed technical support. After you read Chris’s story, think about how you might be affected if your iCloud account information were to be corrupted or deleted.]

I had heard anecdotally that some people had been having issues with Apple’s recent security upgrade for iTunes accounts, but it’s hard to know what to make of such reports until you experience the problems yourself. And, sadly, I can now understand what others have gone through.

One morning last week, I went to my Mac to find two separate email messages, both sent at 2:00 AM, saying that changes had been made to my Apple ID. Keep in mind that these came out of the blue — I had not been asked the new security questions or had to provide a secondary email address. The first message said that my billing address and credit card had been changed. The second said my Apple ID and email address had been changed. Needless to say (or I wouldn’t be writing this report), I had made no changes to my billing address and credit card information, as the first message claimed. The second message was even more confusing, since as far as I’m aware, it’s impossible to change an Apple ID, much as it would be nice if Apple would allow us to merge them.

[image link] [2]

[image link] [3]

It was 8:00 AM when I saw these messages, meaning that there had been at least 6 hours in between the time the messages were triggered and when I sat down at my Mac. Fearing that my account had been compromised, I tried to log in to my iTunes account, and was unable to do so. After resetting my password, I was finally able to log in successfully, and while I was still somewhat concerned about my account having been compromised, I figured that changing the password would at least prevent any more problems from occurring. Little did I know…

At 8:00 PM that same night, I received another email message from the iTunes Store, this time a receipt for a $40 iTunes gift certificate that I had supposedly purchased. Again, I had done no such thing, and oddly, the address (my address) on the receipt was in San Diego, even though I live in Wichita, Kansas, and have a billing address of Garden City, KS. But this wasn’t a simple matter of someone trying to buy an iTunes gift certificate with my credit card, since the receipt said the order was charged to my American Express card. I haven’t had an American Express card in years. Strangest of all was the description of the gift certificate itself, which read: “Gift certificate for foobar” (where “foobar” was actually my former Apple ID password). That’s right, Apple had somehow inserted my former password into the description field. Cue the Twilight Zone music.

[image link] [4]

Before logging in to my iTunes account, I checked a few other Apple services and couldn’t get into any of them. So I once again reset my password and logged in to iTunes. This time it appeared that I had a brand new account — it knew my email address was owenc@hubris.net, but everything else acted as though I’d never logged in before. My iTunes Store history was empty. Although iTunes said I had iOS app updates pending, when I tried to get them, I was told “You can’t update this app because you’ve never purchased it,” and the same thing happened when I tried to use the App Store app on my iPhone to download updates. I hopped over to the Web and tried to log in to my Apple developer account, only to find that I could no longer access any of the developer-specific iOS resources, and worse, all my iOS app provisioning data was missing. Lastly, I checked for updates to apps I had purchased in the Mac App Store, and received the same error as in the iOS App Store. But it also said something to the effect of “These apps are in your owenc1@hubris.net account. Log in there to update them.” I’ve never had such an account with Apple, and owenc1@hubris.net isn’t even a valid email address.

Despite these cascading failures, the one thing that continued to work was iCloud on my iPhone. When I checked into why, I saw that my iCloud settings had somehow been changed to use that phantom owenc1@hubris.net address — at no point did I ever update my iCloud settings on the iPhone or enter owenc1@hubris.net anywhere. Nor had I entered a new password for iCloud on the iPhone, even though I’d changed my Apple ID password twice in the past 12 hours. Even now, I have no idea how Apple could have changed iCloud settings on my iPhone remotely. Luckily, I don’t rely on iCloud for calendaring or email; there’s no telling what havoc would have been played with my day if my events or email had become confused.

Clearly, it was time to get help, but that was much easier said than done. As far as I can tell, there is no way to contact Apple about an Apple ID problem. After a few hours, I figured out that I could use Apple’s Express Lane [5] service to open an iTunes Store-related trouble ticket. Unfortunately, this ultimately led me to a blank page, and only after several unsuccessful attempts did I think of using a Web browser other than Safari, and doing that — ironically — enabled me to file a report at about 9:30 PM.

At 2:00 PM the following day, I finally received an email response from Apple. Alas, it was simply a canned message that gave me a long list of ways I could avoid being tricked by phishing. Since that wasn’t my problem, I responded to the message, pointing this out. An hour or so later, though, Apple sent me yet another message saying that everything had been restored, and when I logged in to the iTunes Store, the Mac App Store, and my developer account, I did indeed once again have access to all my data. Apple provided no explanation for the problem, but at least everything was working as it had before.

[image link] [6]

[image link] [7]

All but one thing, that is. Remember how my iCloud account on my iPhone had been inexplicably changed to the owenc1@hubris.net address that doesn’t exist? Even after Apple restored my account data, iCloud on the iPhone retained that incorrect address and stopped working entirely. Since it apparently isn’t possible to change the Apple ID associated with iCloud on the iPhone, I was forced to delete my iCloud account entirely and set up a new one using the proper owenc@hubris.net address. Once I had done that, everything was again right in my Apple world.

If there’s a moral to the story, it’s that Apple has put all our eggs into a single Apple ID basket, and while we can watch that basket all we want, if Apple messes something up behind the scenes, we’re the ones left with egg on our faces and no obvious way to get help.

[1]: http://tidbits.com/article/12963
[2]: http://tidbits.com/resources/2012-05/AppleID-email-1.png
[3]: http://tidbits.com/resources/2012-05/AppleID-email-2.png
[4]: http://tidbits.com/resources/2012-05/AppleID-email-3.png
[5]: https://expresslane.apple.com/GetproductgroupList.do?PRKEYS=PF4
[6]: http://tidbits.com/resources/2012-05/AppleID-email-4.png
[7]: http://tidbits.com/resources/2012-05/AppleID-email-5.png