Someone trying to hack my Apple password using security questions

Question

Someone trying to hack my Apple password using security questions

I keep these emails everyday, someone is trying to hack my account clearly:

“We were unable to reset the password for your Apple Account (xxx@gmail.com) because there were too many unsuccessful attempts to answer your security questions. To protect the security of your account, you will not be able to reset your password for the next eight hours.”

when I go into my Apple settings I see that I have 2 factor authentication enabled but I don’t see anything related to security questions. (I want to change them)

how exactly are these hackers trying to answer these security questions ? Do I need to be concerned ?

Posted on Dec 21, 2025 6:14 AM

Reply

Answer 1

Dec 25, 2025 12:01 PM in response to Phil0124

Well it’s not a one off. I’ve keep getting the email from Apple every day / alternate day. Something is still trying to hack the loophole.

I just wish I could see what device or ip address is trying to answer the security questions despite having 2 factor auth.

Reply

Answer 2

Jan 14, 2026 10:44 AM in response to InformedBuyerR

I've reported the security loophole to Apple security services, lets see if they do anything about it.

The emails from Apple notifying me have not stopped, someone is still trying to answer security questions to reset the password despite having MFA enabled on the account. Clearly some hackers have found a loophole in their security apparatus! Maybe if others report it they will close the loophole. This is ridiculous!! Even MFA isn't safe anymore.

Reply

Answer 3

Jan 14, 2026 2:01 PM in response to Mac Jim ID

Your presumption Is incorrect. The very fact that someone is able to attempt to answer my security questions is proof that the account is being actively hacked (this could be an attack using information previously leaked security questions, much like passwords) but that Apple is allowing them to access it despite having MFA enabled is a problem with apples security system.

Also note that I’m not getting any 2 factor requests, which means someone has found a way around the Apple ecosystem of MFA to try and rest the password using security questions while bypassing MFA. If they are successful in doing so it will be a giant if failure on part of Apple because I’ve literally everything everything I possibly can to secure my account and yet they have a loophole that someone is exploiting. The only saving grace is the Apple server is sending me emails to notify me of the failed of these hackers successfully answer my security questions (which I no longer have access to officially as I’ve turned on MFA). It’s only a matter of time until they find the right’s answers to my questions at which point I’m SOL and there’s nothing I can do to stop it.

Reply

Answer 4

stu.

Level 1

8 points

Jan 15, 2026 7:12 AM in response to Mac Jim ID

Hi. Apologies for butting in at the end of this but I was looking for an answer as to why I am receiving the same emails.

I get at least one message a day as below ---->

Important information about your Apple Account password.

Dear xxxxxx,

We were unable to reset the password for your Apple Account (xxxxxx@yyyyy.com) because

there were too many unsuccessful attempts to answer your security questions. To

protect the security of your account, you will not be able to reset your

password for the next eight hours.

If you didn’t make this change or if you believe an unauthorized person has

accessed your account, go to iforgot.apple.com

to reset your password as soon as possible. Then sign into your Apple Account

page at https://account.apple.com to

review and update your security settings.

Apple Support

Apple Account | Support | Privacy Policy

It is an account I have not used for years, have never set up 2FA on and never, to my knowledge, purchased anything on.

I can receive a PW reset email and set a PW on the account but when I attempt to reset the security questions I get the following message ---->

Cannot Reset Security Questions

We don’t have sufficient information to reset your security questions.

___________________________________________

The addresses all seem legitimate. Everything returns to/from Apple. There do not seem to be any weird delays or lag in reaching the pages etc.

It's just odd. I'd kill the account if I could but I can't past the point where I am able to do that.

Anyway.

I hope this may provide a little more info for anybody else who has this issue.

Thanks :-)

Reply

Answer 5

Jan 15, 2026 11:08 AM in response to stu.

No apologies needed. It’s quite possible someone is trying to hack your account using the security question and a brute force attack. Since you don’t have 2 factor auth enabled, can you enable 2 factor auth on your Apple account and see if these emails stop?

Reply

Answer 6

stu.

Level 1

8 points

Jan 18, 2026 7:28 AM in response to InformedBuyerR

Thanks for the reply.

I can get to the point where I get two options.

Reset password (this is possible),

Reset security questions (Which returns the message -Cannot Reset Security Questions We don’t have sufficient information to reset your security questions.)

Nothing else is possible.

Somewhat annoying and I am still getting the emails.

Reply

Answer 7

John Galt

Level 10

155,870 points

Jan 14, 2026 2:27 PM in response to InformedBuyerR

There are over two billion Apple Account holders worldwide yet yours is the only one being actively hacked. Ok!

Reply

Answer 8

Jan 18, 2026 10:12 AM in response to stu.

See these steps on how to enable 2 factor auth. You’ll need an iPhone or iPad to do it.

Two-factor authentication for Apple Account - Apple Support

Reply

Answer 9

MrHoffman

Level 10

146,743 points

Dec 21, 2025 1:05 PM in response to InformedBuyerR

InformedBuyerR wrote:

I keep these emails everyday, someone is trying to hack my account clearly:

“We were unable to reset the password for your Apple Account (xxx@gmail.com) because there were too many unsuccessful attempts to answer your security questions. To protect the security of your account, you will not be able to reset your password for the next eight hours.”

when I go into my Apple settings I see that I have 2 factor authentication enabled but I don’t see anything related to security questions. (I want to change them)

how exactly are these hackers trying to answer these security questions ? Do I need to be concerned ?

The only “hacking” happening here is social engineering; phishing.

They’re trying to hack you and your perceptions. Not your Apple Account. Your Apple Account is fine.

The hackers are trying to fool you into giving them access to your Apple Account credentials.

Delete the spam, and move on with the rest of your day.

PS: the sending email address can be forged, just as can the calling phone number, or thr texting number for SMS.

More reading on common scams:

Recognizing Apple Pay Fraud Report Scams - Apple Community

Reply

Answer 10

Limnos

Level 10

428,513 points

Dec 22, 2025 3:53 AM in response to InformedBuyerR

You are getting responses from real people; Apple products users just like yourself. We are people sitting at home helping other users like ourself. Since you are posing us with something that is factually impossible I recommend you contact Apple about this.

Refer to this page for Apple Support features ➔ Contact - Official Apple Support

Select from the presented options until you find a solution for your issue, or see if there is a chat or phone call contact method offered lower on the page under “Get more help” (you sometimes have to narrow down the options multiple times before this is shown). If you do not see your issue, keep experimenting with any series of selections until you reach one that offers a chat session or a telephone call and get the representative to redirect you. For chat, you can also try using the Apple Support App —> https://apps.apple.com/app/apple-support/id1130498044

This support article has various country telephone numbers for contacting Apple for support and service ➔ Contact Apple Support - Apple Support For some countries look under “Other” listing at the end of the list. Not every country has telephone support, and phone numbers may only work when calling from the same country.

Reply

Answer 11

Mac Jim ID

Level 9

62,918 points

Dec 22, 2025 8:22 AM in response to InformedBuyerR

InformedBuyerR wrote:

The email is valid and so is everything in the email. There’s nothing remotely wrong with the email. It’s coming from Apples servers and the information is 100% accurate.

I am not saying it is not valid, my suspicion is that it is not Exactly the same as your Apple Account or the location of where the email was sent. For example, if your Apple account is UserNameOI@xxx.com, these would look very similar, but none of them are the same as the original.

User.NameOI@xxx.com - dot separator easily missed
UserName0I@xxx.com - zero instead of capital "o"
UserNameOl@xxx.com - lower case "L" instead of uppercase "i"

That would indicate your Apple Account email address is being used as a Notification/Rescue email on that account. The Notification (or Rescue email account when not using 2FA) does not have to be another Apple Account. Also if it is not the same email address like the above examples, is it possible that you had used that variation long ago when before there was 2FA.

In any case since all we can do is speculate and don't have any account access to see what is going on, I would also recommend to contact Apple directly:

Contact Apple Support - Apple Support

And if you do have a security vulnerability to report, then that can be done here:

Report a security or privacy vulnerability - Apple Support

Reply

Answer 12

MrHoffman

Level 10

146,743 points

Dec 22, 2025 10:43 AM in response to InformedBuyerR

InformedBuyerR wrote:

The email is valid and so is everything in the email. There’s nothing remotely wrong with the email. It’s coming from Apples servers and the information is 100% accurate. I’ve been building IT systems for 30 years, including setting up and managing email and DNS servers and more than familiar with email and DNS security protocols.

The only thing I’m not familiar with is apples security infrastructure. Someone how these folks are attempting to answer my “security questions” if I have 2 factor enabled? I’m not even getting any 2 factor auth requests. My suspicion like increasingly confirmed that these folks have found a backdoor into apples IDSMA infrastructure.

There are no security questions when two-factor authentication is enabled.

As for the message, I’d have to see the SMTP headers, and those can be spoofed.

if you are particularly concerned, switch to security keys. And I don’t think that's necessary here.

Alert fatigue is a thing too, and the perpetrators can use it to try to get their targets to make a mistake.

Reply

Answer 13

Dec 22, 2025 12:35 PM in response to MrHoffman

Happy to do that, here's the RAW information from the entire email envelope, I've only masked out my name, timezone and email address for privacy reasons. Everything else is exactly as it arrived. Do you see anything about this email or in the headers that tells you it's not coming from Apple's own servers? Also attaching GMails own security verification messages. There's nothing in here that's redirecting me to a different domain either, all links lead to apple.com (trademark of a phishing message or social engineering). There's a 5K character limit so I'm attaching the rest of the envelope in the text file.

Apple security email - raw email and envelope

Delivered-To: xxx@gmail.com
Received: by 2002:a05:6402:3059:b0:64d:7288:fc3b with SMTP id 25csp494528edi;
        Mon, 22 Dec 2025 06:02:48 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGjhuXkuGOrmB75o+kYX9ChncXkbanVHeLOfS+z0FfW1gDx6Lqo4Pi5vWEmzGUvZM2owmrp
X-Received: by 2002:a05:6122:2a42:b0:55b:305b:4e25 with SMTP id 71dfb90a1353d-5615bec5246mr3664537e0c.17.1766412168151;
        Mon, 22 Dec 2025 06:02:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1766412168; cv=none;
        d=google.com; s=arc-20240605;
        b=i/JsNW+uQxIM+oHROuanJlnPwurgSMlUbXbqruJaVM6CimeVJSo8imt6087EM+Wl0h
         CW6/dHqQTgZZ/Oz0Cqd8G06bgiRgiqEA99QMhqiv4BAzUeeDM01CyBLwkO0hxsMktllQ
         RkoyMCVg00ENWMQcqF2sDVeTnO0u9eTVyOTtyIyrKqESeIng/DMn0ufxdoWW6TTgYKxp
         kuVtj4t6AFEYBdXw1Ll4hWT0isxX2VSqvOO8ONMqtzSGknCJqC7h+f5MNtQz7hE3zbda
         t/UW2xdNS/6VuY5+ZsLLlFLx9wSBlYAS3RDkobc5oNkLlAZNSVTvPo+/O7OGoFmFpRF/
         jP5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=mime-version:subject:message-id:to:reply-to:from:date
         :dkim-signature;
        bh=61ev6DAaFH+EXJM8gf6FisfbWrkfN1VxtvetFvliEzk=;
        fh=rr7IU5rTDFRkBwgWzYkWrcq+n1I1tnq9A+38fvOZyys=;
        b=KAFfoN7jFyfg9rUFYIvYAAeCNFErqBVgG7YiQ3QRrNJ1+3BGiXbtbCH0bJ8yiQVZQi
         xG04x5EJqDLmUltxXm5j8VG0lDYgcDYaiF8fMCIllcRhXMj/fb4N+VKrcKHAgFXtaOby
         4yJLFiNKglmjK2n1/74T0tN8Tq/NtpX3viq9sdUdkwdlHW0AWcclR5jBBDsMFDhZ7pcy
         SlRYgarPG70qMTFtn/KBm1vQH1k6UnrHn9upY0yaMlxYbG1dBNEWeSmYG4YYfs9zB/zw
         X6vwDo5VUWkvLR7TFZ74UU3nY0K23/KGUQdLMMKBrSdMqJGtYoSYMPiBA14RWgYyqexC
         bxOg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@id.apple.com header.s=id0517 header.b="MA/ULrV8";
       spf=pass (google.com: domain of appleid@id.apple.com designates 17.23.6.81 as permitted sender) smtp.mailfrom=appleid@id.apple.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=id.apple.com
Return-Path: <appleid@id.apple.com>
Received: from st56p01nt-txnmsbadger002104.apple.com (st56p01nt-txnmsbadger002104.apple.com. [17.23.6.81])
        by mx.google.com with ESMTPS id af79cd13be357-8c096ffc91esi1071878985a.380.2025.12.22.06.02.47
        for <xxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 22 Dec 2025 06:02:48 -0800 (PST)
Received-SPF: pass (google.com: domain of appleid@id.apple.com designates 17.23.6.81 as permitted sender) client-ip=17.23.6.81;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@id.apple.com header.s=id0517 header.b="MA/ULrV8";
       spf=pass (google.com: domain of appleid@id.apple.com designates 17.23.6.81 as permitted sender) smtp.mailfrom=appleid@id.apple.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=id.apple.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=id.apple.com; s=id0517; t=1766412167; bh=61ev6DAaFH+EXJM8gf6FisfbWrkfN1VxtvetFvliEzk=; h=Date:From:To:Message-ID:Subject:Content-Type; b=MA/ULrV8pynsX3icVapFKDxapasS0tcdyOL2FbSxSU5K7lq0YdioDGiKw1pp2WhJ+
	 PeWGmtF74s+gWRiq9hclIRbsZ5kYTrCYzJnaZyiE++SClh21Y65pJY2g7Q80u2OUMZ
	 dIfvZX4yVlreIbK0Tz8zcW2S3kIz8EOIaYReJMEoWOIUcCElV+7u6oFgitKva/pPuK
	 H2hkfSSOixA7pSpax33jMiDYfDUN3pENxt+IJusYx70YalJlvqoQB4U+TDRlL6WAQO
	 itRH3/FJHP3tKP0CHW+BDP7IRXX7FY8+y0V8QLq7AZfWmJ1AgRzNhJ7bdteOb3B8sV
	 f+LwuacEommbA==

Reply

Answer 14

Limnos

Level 10

428,513 points

Dec 22, 2025 1:42 PM in response to John Galt

John Galt wrote:

Security questions are no longer used — for new accounts. If your Apple Account has been in use for a long time then you probably configured them, and someone attempting to access that Account may be asked for them.

Note that the OP said, "when I go into my Apple settings I see that I have 2 factor authentication enabled." Apple will not ask security questions if the account is now using 2FA, even if they were used in the past.

Reply

Answer 15

John Galt

Level 10

155,870 points

Dec 22, 2025 2:18 PM in response to Limnos

It is not possible to be certain Apple will not ask security questions in 100% of the cases for which account recovery is being sought, or when questionable login attempts were made. It would not surprise me if they did, or even if it was an intentional distraction to frustrate bad actors.

Obviously I haven't encountered them for a very long time, but I'm not attempting to "hack" anyone's Apple Account either.

Reply