User profile for user: Tamlouie
Tamlouie Author
User level: Level 1
28 points

How can I verify the security of my MacBook after an Apple tech remained remotely logged in?

Concerned...Yesterday a Mac tech (Matthew) from Apple spent over an hour on the phone assisting me with my MacBook. He had access to the system settings, helped reset my Apple Id Password, I logged in and out of iCloud (which only asks for my MacBook login password, not Apple Id's) and more with his guidance. Seemed super nice, and wasn't in a hurry or concerned about time spent. We eventually ended convo, and I proceeded to work on security issues (changing logins, passwords, moving docs, etc.) only to realize two hours later that Matthew was still remotely logged into my laptop. I immediately ended that, but am now bothered and paranoid. If he was a true Apple tech (which I did hear other agents in the background, but I suppose that could be recorded chatter?) why wouldn't he disconnect remote access when he ended the call or at the very least be disconnected when starting another support call?

The whole point for the call was with security issues and now I am unsettled and not sure if I compromised my security further. Is there any way to know for sure? Where could I look to see if his specific access during those two hours did or changed anything? Are there any specific ways or guidance suggestions for this?



[Re-Titled by Moderator]

Original Title: Apple agent did not end remote access after call had ended...what steps to do now, trying to know more about it if possible?


Posted on Jan 31, 2026 5:30 AM

Reply
Question marked as Top-ranking reply
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 9
63,812 points

Posted on Jan 31, 2026 9:13 AM

Did you initiate the Support call from the number here:

Contact Apple Support - Apple Support


Clicking a link in a Google search for Apple support has been seen as problematic as scammers will pay Google to have their link appear closer to the top of the search.


At this moment, I would recommend to post the free EtreCheck report using the Additional Text option when posting to see if there has been any software installed on your computer that may have been used for this Remote Connection or other purpose.No personal information is included in this report. Do you know what app was used to share your screen?

How to use the Add Text Feature When Post… - Apple Community


You would want to make sure the changes to your Login and Apple Account password occurred AFTER the connection was closed and if not, change them again. There is not a specific log that will track what changes that occurred in those 2 hours.

View in context
4 replies
Question marked as Top-ranking reply
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 9
63,812 points

Jan 31, 2026 9:13 AM in response to Tamlouie

Did you initiate the Support call from the number here:

Contact Apple Support - Apple Support


Clicking a link in a Google search for Apple support has been seen as problematic as scammers will pay Google to have their link appear closer to the top of the search.


At this moment, I would recommend to post the free EtreCheck report using the Additional Text option when posting to see if there has been any software installed on your computer that may have been used for this Remote Connection or other purpose.No personal information is included in this report. Do you know what app was used to share your screen?

How to use the Add Text Feature When Post… - Apple Community


You would want to make sure the changes to your Login and Apple Account password occurred AFTER the connection was closed and if not, change them again. There is not a specific log that will track what changes that occurred in those 2 hours.

Reply
User profile for user: Servant of Cats
Servant of Cats
User level: Level 8
36,047 points

Feb 1, 2026 5:00 PM in response to Tamlouie

Tamlouie wrote:

If he was a true Apple tech (which I did hear other agents in the background, but I suppose that could be recorded chatter?) why wouldn't he disconnect remote access when he ended the call or at the very least be disconnected when starting another support call?


People who talk to scammers often hear other scammers in the background. Hearing other people talking in the background just suggests that you were talking to someone working in a call center, whether that call center was one belonging to Apple Support, or one belonging to a scam "business".

The whole point for the call was with security issues and now I am unsettled and not sure if I compromised my security further. Is there any way to know for sure? Where could I look to see if his specific access during those two hours did or changed anything? Are there any specific ways or guidance suggestions for this?


At a minimum, you would want to take Mac Jim ID's advice:


"You would want to make sure the changes to your Login and Apple Account password occurred AFTER the connection was closed and if not, change them again. There is not a specific log that will track what changes that occurred in those 2 hours."


The question would be whether the session left unwanted stuff behind, like a key logger or other spyware to steal sensitive information and relay it back to a scammer.


You may also want to check Settings > General > Sharing and make sure that any sharing options that you aren't using and don't want to use are turned OFF. But without knowing whether you called a legitimate Support person, or a scammer, it is impossible to give any absolute assurances as to what might have happened.

Reply

How can I verify the security of my MacBook after an Apple tech remained remotely logged in?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up