Apple ID Horror Story
[Adam here. Chris Owen sent me this tale of woe as evidence that there are issues with the iTunes account security changes that I wrote about in “Apple Extends iTunes Account Security, Confuses Users” (26 April 2012). What I find more perturbing, though, is that Apple IDs have become far more important than in the past, thanks to iCloud’s deep integration with Mac OS X for essential data like email, events, and contacts. Obviously, Apple has a vested interest in making sure iCloud services work properly, but since they’re largely provided for free (with payments only for iTunes Match and additional storage), Apple isn’t offering easily accessed technical support. After you read
Chris’s story, think about how you might be affected if your iCloud account information were to be corrupted or deleted.]
I had heard anecdotally that some people had been having issues with Apple’s recent security upgrade for iTunes accounts, but it’s hard to know what to make of such reports until you experience the problems yourself. And, sadly, I can now understand what others have gone through.
One morning last week, I went to my Mac to find two separate email messages, both sent at 2:00 AM, saying that changes had been made to my Apple ID. Keep in mind that these came out of the blue — I had not been asked the new security questions or had to provide a secondary email address. The first message said that my billing address and credit card had been changed. The second said my Apple ID and email address had been changed. Needless to say (or I wouldn’t be writing this report), I had made no changes to my billing address and credit card information, as the first message claimed. The second message was even more confusing, since as far as I’m aware, it’s impossible to change an Apple ID, much as it would be nice if Apple
would allow us to merge them.
It was 8:00 AM when I saw these messages, meaning that there had been at least 6 hours in between the time the messages were triggered and when I sat down at my Mac. Fearing that my account had been compromised, I tried to log in to my iTunes account, and was unable to do so. After resetting my password, I was finally able to log in
successfully, and while I was still somewhat concerned about my account having been compromised, I figured that changing the password would at least prevent any more problems from occurring. Little did I know…
At 8:00 PM that same night, I received another email message from the iTunes Store, this time a receipt for a $40 iTunes gift certificate that I had supposedly purchased. Again, I had done no such thing, and oddly, the address (my address) on the receipt was in San Diego, even though I live in Wichita, Kansas, and have a billing address of Garden City, KS. But this wasn’t a simple matter of someone trying to buy an iTunes gift certificate with my credit card, since the receipt said the order was charged to my American Express card. I haven’t had an American Express card in years. Strangest of all was the description of the gift certificate itself, which read: “Gift certificate for foobar” (where “foobar” was actually my
former Apple ID password). That’s right, Apple had somehow inserted my former password into the description field. Cue the Twilight Zone music.
Before logging in to my iTunes account, I checked a few other Apple services and couldn’t get into any of them. So I once again reset my password and logged in to iTunes. This time it appeared that I had a brand new account — it knew my email address was [email protected], but everything else acted as though I’d never logged in before. My iTunes Store history was empty. Although iTunes said I had iOS app updates pending, when I tried to get them, I was told “You can’t update this app because you’ve never purchased it,” and
the same thing happened when I tried to use the App Store app on my iPhone to download updates. I hopped over to the Web and tried to log in to my Apple developer account, only to find that I could no longer access any of the developer-specific iOS resources, and worse, all my iOS app provisioning data was missing. Lastly, I checked for updates to apps I had purchased in the Mac App Store, and received the same error as in the iOS App Store. But it also said something to the effect of “These apps are in your [email protected] account. Log in there to update them.” I’ve never had such an account with Apple, and [email protected] isn’t even a valid email address.
Despite these cascading failures, the one thing that continued to work was iCloud on my iPhone. When I checked into why, I saw that my iCloud settings had somehow been changed to use that phantom [email protected] address — at no point did I ever update my iCloud settings on the iPhone or enter [email protected] anywhere. Nor had I entered a new password for iCloud on the iPhone, even though I’d changed my Apple ID password twice in the past 12 hours. Even now, I have no idea how Apple could have changed iCloud settings on my iPhone remotely. Luckily, I don’t rely on iCloud for calendaring or email; there’s no telling what havoc would have been played with my day if my events or email had become confused.
Clearly, it was time to get help, but that was much easier said than done. As far as I can tell, there is no way to contact Apple about an Apple ID problem. After a few hours, I figured out that I could use Apple’s Express Lane service to open an iTunes Store-related trouble ticket. Unfortunately, this ultimately led me to a blank page, and only after several unsuccessful attempts did I think of using a Web browser other than Safari, and doing that — ironically — enabled me to file a report at about 9:30 PM.
At 2:00 PM the following day, I finally received an email response from Apple. Alas, it was simply a canned message that gave me a long list of ways I could avoid being tricked by phishing. Since that wasn’t my problem, I responded to the message, pointing this out. An hour or so later, though, Apple sent me yet another message saying that everything had been restored, and when I logged in to the iTunes Store, the Mac App Store, and my developer account, I did indeed once again have access to all my data. Apple provided no explanation for the problem, but at least everything was working as it had before.
All but one thing, that is. Remember how my iCloud account on my iPhone had been inexplicably changed to the [email protected] address that doesn’t exist? Even after Apple restored my account data, iCloud on the iPhone retained that incorrect address and stopped working entirely. Since it apparently isn’t possible to change the
Apple ID associated with iCloud on the iPhone, I was forced to delete my iCloud account entirely and set up a new one using the proper [email protected] address. Once I had done that, everything was again right in my Apple world.
If there’s a moral to the story, it’s that Apple has put all our eggs into a single Apple ID basket, and while we can watch that basket all we want, if Apple messes something up behind the scenes, we’re the ones left with egg on our faces and no obvious way to get help.
Same reason you don't have all your accounts at one bank. One hiccup and you no longer exist.
You guys are actually downplaying the risk a bit here.
1) From the $40 charge it sounds like someone was ripping you off and covering their tracks (hiding history so you wouldn't know what else / how much the extracted from your iTunes account).
2) Apple now uses Apple IDs for Mac login, BtMM, & screen sharing in Lion.
That means someone with whatever technique was used on your Apple ID could actually break into a Mac desktop/laptop too -- either locally or over the network.
This is bad news.
From the way Chris Owen described it, it really doesn't sound like his account was compromised so much as interleaved with someone else's account information temporarily. The $40 charge, for instance, not only had a different address, but used some other credit card, which shouldn't be possible (and wouldn't really be the point of phishing anyway).
And the whole thing is really inexplicable in some respects. For instance, where would that phantom address come from? A cracker wouldn't use it, since it couldn't receive email (and Chris runs an ISP, so he really knows what he's doing with this stuff).
My best guess is that Apple munged some data together and must have invented that email address when trying to figure out what they'd done. But that's certainly just a guess, and Apple wasn't saying more.
That is the scariest bit. There was an issue and after a mess and a bit of luck, it was fixed.
What caused it, could it happen again, how was it fixed,..... I could continue in this vein.
The scary is Apple's total silence on the issue.
no "the scariest bit" is that none of you recognized that the first emails were the phishing scam... and what is particularly comical is the comment "I could avoid being tricked by phishing. Since that wasn’t my problem"
when losing your password most of the time is a phishing scam,.. those first emails were probably the phishing scam. if not, then the person fell for the phishing scam months ago... there are whole databases in China with phished passwords, and they hand them out for people to buy on demand... many times the scam happened months before the person ever gets the first charge...
I get lots of legitimate email that doesn't include my name. This week, from Apple, "Dear iWork.com user."
But I see your point. People need to develop a better sense of good and scam email. Sometimes it's comically easy, but not always.
actually even it includes your name, if it is an email about changing some account info, or just logging in, don't click on the link, go to your browser book mark instead, always...
none of these companies should include links...
The first email messages were not phishing scams. For one, Chris Owen runs an ISP, so when he says he didn't fall prey to any such scheme, I'm highly inclined to believe him.
Second, and even more to the point, I went back in my email and confirmed that all the Account Info Change messages I have received from Apple in the last year start with just "Hello," and do not include my name.
"The scary is Apple's total silence on the issue."
Actually, the scary is Apple's continued arrogance and disdain to their customers.
On my iMac and iPad, my Apple ID continues to work, but on my MBP, it does not. Further, since it claims I have an upgrade pending that I can't get, I always have a 1 in the icon for the store (this is a SL machine). It is just this kind of horror story, and most particularly the difficulty (virtual impossibility) of getting problems like this fixed that has prevented me using iCloud for anything. I use fruux to sync my Address Book and Calendar and Dropbox for all other file syncing.
While I'm ranting here, I should mention that with the exception of Apple's web site and developer site, I avoid using any other Apple Web-based service for the same reason -- none of them do any glitch management, whereas Dropbox and fruux are quite responsive.
You should have had a clue when the initial e-mails did not include your name - just "hello"- It is possible you were directed to a fake web page and put your password info there - and started the ball rolling.
Never believe any e-mail from Apple - PayPal - ebay - your bank - or anyplace that does not include your name.
Actually, my legitimate email from Apple that arrived after I was forced to create the security questions didn't include my name either. I agree that you should never click on a link in an email, but you can't automatically say that the email can't be believed because it didn't have your name
in this case, the person fell for some phishing scam... most likely those emails were the phishing scam... and the person clicked on one of the links, don't even click on a link for a legit email.... ever... if it involves changing account info and such.
Again, I have multiple Account Info Change messages from Apple that start exactly the same way - "Hello," and no mention of my name. My email address (Apple ID) is always listed, of course.
Apple clearly needs a better system to resolve issues with Apple ID. Having the only method through Express Lane is pretty unsatisfactory. A link directly for Apple ID is NEEDED now. Speaking to a real person would be easier to explain a convoluted situation, rather than an e-mail that no one seems to read any way. As important as Apple ID is becoming, they better do something that is user friendly.
I have two Apple ID's, one is from my old MobileMe account and the other is my iTunes account that I use for any purchases. At first I wanted them combined and was disappointed that there is no way to do so. Now I think it is safer to have them distinct from one another. This works ok for a single user, but I imagine multiple family member type situations may be very difficult to manage.
Ditto. I use my original iTunes AppleID just for that. My Dot Mac AppleID is the one I use for Apple Discussions and Dot Mac/MobileMe/iCloud email. I was ranting because Apple could seem to be able to hire a programmer that knew how to merge databases. Now I wonder if they did hire someone who "enhanced" his resume and this problem is the result - a database merge gone awry.
if Apple messes something up behind the scenes, we’re the ones left with egg on our faces and no obvious way to get help.
there are literally dozens of people losing their passwords to phishing scams every single day, and every year twice a year or more, some article portrays Apple itunes as being "hacked" with stories of 30 people saying they had been hacked, well it isn't 30 people... it is 300 people every month or so... and the story and the people ALWAYS blame Apple, saying it "must" be an iTunes hack... when in fact in every single case, it is either phishing (90% of the time) or a PC with a virus/malware/keylogger on it....
NOT ONCE in the dozens of these articles that show up twice a year or more, was it the case that it was iTunes and or An Apple system that was hacked.. not once....
I would encourage you to read more closely. At no point in the article did the author suggest that Apple had been hacked, or even that his account had been hacked. Phishing was off the table for the reasons I've stated in previous comments.
The most logical conclusion is that Apple somehow interleaved data from multiple accounts, since that would account for the different address, the American Express card, and the lack of developer privileges. Utterly inexplicable still is the phantom email address that never existed.
Regardless of what happened, the piece is meant as a cautionary tale for people who rely on their Apple IDs to (a) be careful and (b) to think about what you'd do if your Apple ID-protected accounts were to become inaccessible. Plus, it points out that getting help from Apple for what has become a truly essential service can be difficult and time-consuming. It didn't happen in this case, but it's easy to imagine someone relying on iCloud for email, calendaring, and contacts, and ending up in a situation where they would be dead in the water for a day or two while some problem gets fixed. That may not be acceptable for some businesses, and they should be aware of that possibility.
Apple ID's - perplexing, apparently even to Apple. A year ago I found that the contact and billing information (real name, mailing address, phone number, and billing information) for one of my two Apple ID's had inexplicably changed from my own to that of someone of opposite gender whom I do not know, but who happens to live in the same town, although not quite in the same Zip code.
Had I kept notes I could regale you all with the gory details, but as I recall I was lucky enough to reach, without excessive delay, an exceptionally bright young woman at Apple. She was as mystified as I, yet still managed to sort things out within 24 hours.
Nice person. During the course of our conversations she was able to pull some strings and get me an exceptional discount on Adobe CS 5.5 (through Apple), so while I left the experience forever wary of the reliability of Apple's security underpinnings, I remained a happy-enough customer.
Now, reading this, and remembering that, leaves me firmly disinclined to entrust any of my LAN calendars to iCloud. Instead, I will keep the LAN as is, and continue to sync appointments -- which are especially handy to have on my iPhone, but less likely than to-dos to contain sensitive or mission-critical notes -- through Google Calendars and the Calengoo app.
No one, and certainly not Google, is infallible. Like everyone else, I hope that Apple will eventually get it exactly right, but their track record from iTools through .Mac and MobileMe would seem to suggest that it may take a while. So for now I'll continue to sync the really important stuff over my own LAN.
I've had 4 instances of phantom charges that appeared on my account. I, too, am very careful about phishing schemes and convinced that I was not a victim of phishing since I changed the password after every one and finally started another Apple ID. I cleared every other Apple ID I have and changed every password even if I haven't used that ID for years. I insured that only one (my computer) could download the purchase and those errant purchases would download just fine even though I didn't order them. But what drives me nuts, though, is that Apple immediately discounts any suggestion that it might have been something their system generated. Every time I spoke to them (finally!), they simply wiped out all my account information associated with that Apple ID. It was especially galling that they invalidated my credit card and refused to let me use it again when I set the account back up. I'm on my fourth and last credit card. Every other card I have has been invalidated
You are a patient man Adam.
My iTunes account was hacked even though I was never asked to contact them. All I ever did was sync a few downloads for two iPhones once. I don't buy music, books, etc on iTunes. First thing I knew was that I had some minor charges from Italy show up. Apple had me lengthen a short ID into a longer one with more restrictions on what was required. But I was definitely never phished. BTW, they quickly removed the charges.
Maybe a 2 step verification option should be made available, similar to gmail?
I'm skeptical that this was a phishing scam because at least one part of this has happened to me months and months ago -- and if it was related to phishing, well, they're running a poor operation because they haven't gotten any of my money yet.
At a certain point, my Apple ID was listed by apple as [current ID]1. That is, they added a 1 to my actual ID, just as described here. My memory's hazy on this point but it may have been right after switching my account to iCloud from MobileMe.
In any case, it took several login attempts and a reset and all kinds of nonsense to get functioning again. Combine that with the way Apple has handled this recent security question issue and as far as I'm concerned, they have a lot of work to make iCloud the best experience it can be. Given their history with online services, I'm not holding my breath.
(And I write this as someone who's used Macs for 20+ years and never bought a Windows machine in my life.)
I have also seen Apple IDs and usernames suddenly cease to work, either when entered programmatically or when pasted from PasswordWallet, but I have been assured that this is completely impossible and is never actually happening. The logical explanation is that the Macintosh is the world's first quantum computer and Apple IDs function like Schrödinger's cat.
For it seems that Apple fails to manage accounts. This is also true for the KeyChain utility of OS X. Although it is step forward, it blindly stores usernames and passwords. OS X lacks an online account manager, because an online account is used on several places of the OS. Currently, if one changes his password, he has to repeat this several times to update all the occurrences in the keychain. Account management also should be connected with cookie management.
If the quality of additional Apple secunity is evidenced by the choice of the 5 security questions, heaven help us. I know many highly qualified graduates who have never owned a car. And as for the juvenile questions about favourite teachers/colours/pets/etc, these are non starters for any mature adult. What idiot have Apple employed to dream up such rubbish? No wonder they have security problems. I won't be rushing to move from MobileMe to iCloud. Any chance of a reprieve?!
It sounds like moving to iCloud may be part of this problem. What can we do if we don't want to move to iCloud? If I do nothing come June whatevereth, what will happen? Will my phone and iPad just stop syncing to my laptop? Will I no longer be able to buy iPhone or iPad apps? Is there an alternative? I'm already so danged confused over apples IDs.
Apple has said nothing, but frankly, I think not moving would be a mistake. At best, Apple will migrate your MobileMe information to iCloud for you on June 30th. At worst, they'll just delete it. So you may as well move it manually first, while you can do so in a controlled fashion.
I've had four or five Apple IDs go bad since Apple started using the Web for customer contact. Result is condescension from arrogant young fans who imagine I'm a new user. Got my fat Mac right here, boys.
I received the exact same email that Chris Owen did saying that my billing address and/or Credit Card info had been changed. What should I do? I am not tech savvy and would most appreciate an answer in the most basic terms. Thank you for your help.
I think you should do exactly the same thing Chris did, in terms of changing your password and contacting Apple to see what they've done to you.
Last fall my Apple ID became co-mingled with that of another Apple customer. I never got any email about my account being changed. I found out something had gone badly wrong when I tried to update an app in the Mac App Store and it wouldn't take my password.
There was a $50 gift certificate as well as a $10 credit for the gift certificate in my account that was sent to someone I did not know. However, my credit card was never charged nor credited but the erroneous entries were never removed.
iTunes help was worse than useless. The AppleCare people did yeoman's work sorting it out but it took three weeks. The explanation was that it was an iTunes server error.
Until I deleted the information myself I had access to the name, phone number and security question/answer of the other Apple customer. Some of the credit card information was also accessible.
Just to voice my frustration with the Apple IDs. I have two - one for work and one for private use, but I long ago managed to associate my private address used with one of the Apple IDs with the credit card for work and vice versa, which was not really a big problem as long as I remembered to use my private address for company orders. I thought I should "fix" this and asked Apple if it was possible to "swap" e-mail addresses between two Apple IDs (because swapping the credit cards would not be helpful as I already had purchases belonging to both and the purchases cannot be swapped, I believe).
Apple told me it was impossible to "swap" e-mail addresses between two Apple IDs, but after thinking a while I realized that it could be done with a little extra work ... . So despite what Apple said, I managed to get everything just right in App Store, iTunes store, iCloud. BUT, now there is no way else than creating a third Apple ID in order to access the Apple Communities ... .
"The most logical conclusion is that Apple somehow interleaved data from multiple accounts, since that would account for the different address, the American Express card, and the lack of developer privileges. Utterly inexplicable still is the phantom email address that never existed."
I too recently experienced this interleaving problem, and loss of access. A similar charge was made to the other person's account, but I was the one notified in a typical iTunes purchase notice. The process by which I straightened everything out and regained access and control was remarkably similar as well. However, my "journey," once I found no help online, began with a physical visit to an Apple Store Genius Bar. APPLE HAS A SERIOUS PROBLEM SOMEWHERE IN THE APPLE ID AND/OR ITUNES STORE SOFTWARE!
What's a little scary about this is that if two people within the TidBITS community experienced the problem, that implies that it could be hitting quite a few people in general, given the hundreds of millions of people with Apple IDs and iTunes accounts.