User profile for user: Lukas
Lukas Author
User level: Level 3
780 points

How safe is an Apple ID?

+(Not sure which is the best forum to post this but here we go.)+

For many years I have been using a secret e-mail address as my Apple ID, which is known only to me and to Apple. I have NEVER used it as a general reply-to address. I'm using it only for logging into the Apple Store, this forums, the developer section and into the iTunes Store. And I have always been using one of my Macs to do so. The Macs are clean, no spyware, viruses, nada.
Additionally, a few times I have also used it as my contact address when I was on the phone with Apple Support (AppleCare in Irland). So the only e-mails I have received to this address they ALL came from Apple until now.

Well... Now how can it happen that all of a sudden I am receiving SPAM mails to this very address, which no one except of me and Apple should have ever known about?
Is Apple's database leaking or what?
You can imagine that it bothers me pretty much.
Has anyone had a similar experience?

MacBook Pro (2008 MATTE display), PowerBook G4/1.67/15, Mac OS X (10.5.6)

Posted on Feb 18, 2009 5:10 PM

Reply
7 replies
Sort By: 
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
64,976 points

Feb 18, 2009 5:46 PM in response to Lukas

It only takes one person that you've used the email for to share the information. Though it's highly unlikely Apple did any such thing on purpose. Someone also may have hacked into the support servers in Ireland and pulled a bunch of email account names.

Other than that, you could easily just be the target of a brute force mailing. A spammer finds out the name of a domain (such as apple.com) and then starts a blind mailing of millions of emails starting with a@apple.com, b@apple.com, and so on, incrementing out as many places as they want to try. They don't care how many bounce back as undeliverable. The ones that don't also tell them which ones are real and so gets those names on a list to get more junk.
Reply
User profile for user: Lukas
Lukas Author
User level: Level 3
780 points

Feb 19, 2009 4:00 AM in response to Kurt Lang

you could easily just be the target of a brute force mailing


Yes, having my own domain, I thought of that possibility, too.
That's why I wanted to check here if someone else has experienced a similar issue with their Apple ID or if it's just a coincidence.

By the way, I used to have a "catch-all" mailbox, but my hosting provider disabled that function few years ago exactly because of such spam attacks. Hence I had to enable about 150 forwarding addresses afterwards, because I have always used a dedicated address for each site or software I registered... 🙂

On the other hand, my other "login addresses" remain unspammed so far, with the exception of a macupdate.com registration few years ago which must have leaked apparently. (To be fair though, my subsequent registration at macupdate.com is still "safe" after three years, so it doesn't seem to be a general privacy issue with them.)
Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
64,976 points

Feb 19, 2009 6:13 AM in response to Lukas

I used to have a "catch-all" mailbox, but my hosting provider disabled that function few years ago exactly because of such spam attacks.


Yes, you definitely don't want the catch-all set to "Save". They should always "Bounce", which is probably what your ISP did for you. Otherwise email that doesn't even have an existing name gets dumped into your real mail box.
Reply
User profile for user: Lukas
Lukas Author
User level: Level 3
780 points

Feb 19, 2009 6:46 AM in response to Kurt Lang

Not the ISP, but my hosting provider.
They actually removed the "catch-all" option from the mail server backline altogether while they were redesigning the admin control panel. In fact, I was even one of their volunteer beta testers then, so at first I loudly protested after I have noticed that they did... 🙂 But additionally they claimed that most of their customers supposedly never used it anyway. Hard to imagine when they advertise they are serving over 100,000 domain names, but what can a lone customer do...
Anyway, later I have accepted that it was probably a wise decision, given the upcoming amount of such attacks.

Message was edited by: Lukas (corrected a wrong expression)
Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
64,976 points

Feb 19, 2009 7:06 AM in response to Lukas

Not the ISP, but my hosting provider.


Oh! Yes, my hosting provider does that too, though I can still change the catch-all setting if I want to. I don't know why anyone would want it on anything but bounce anyway. What your provider probably did was remove the ability for anyone to change the setting from anything but bounce.
Reply
User profile for user: Lukas
Lukas Author
User level: Level 3
780 points

Feb 19, 2009 7:22 AM in response to Kurt Lang

I don't know why anyone would want it on anything but bounce anyway.

Well, it was fun while it lasted. I could simply tell my clients to email me at anything you_want@mydomain.com. But yes, after the spammers found out that even sdjfbcrzsadned@my_domain.com doesn't get bounced, that's where the big trouble with catch-all starts.

Anyway, I have argumented that if none of their customers ever uses catch-all anyway, it wouldn't hurt them much if they would leave the option available for those few who might make good use of it. For instance if you have a domain without actually running a corresponding public web site, making it harder for the spammers to guess if such a domain exists in the first place.
But as I said above, what can a lone customer do...
Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
64,976 points

Feb 19, 2009 8:45 AM in response to Lukas

what can a lone customer do...


Ah, I forgot about that. That's likely what happened, though not intentionally by a client.

If any of your clients use Windows, then there's a possibility that at some point, they received a virus that emailed itself back out, using one of the names in that person's address book. At one time, a virus must have randomly chosen your address and it got sent out that way as the spoofed sender.

There's various other ways it can happen, but in short, it's extremely difficult to keep a valid address hidden forever.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How safe is an Apple ID?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up