cazyp

Q: reset apple id emails someone trying to hack my account

I am constatnly getting 'reset apple id' emails.

Yesterday I got a notification that someone in Taiwan had downloaded Throne Wars on another device not associated with my account - luckily a free download so I cahsnged my password straight away.

today so far I have had 7 emails about resetting my apple id.

 

Who do i report it to!? What can be done?

Thanks

Posted on Dec 22, 2013 7:27 AM

Close

Q: reset apple id emails someone trying to hack my account

  • All replies
  • Helpful answers

first Previous Page 4 of 8 last Next
  • by thomas_r.,

    thomas_r. thomas_r. Dec 28, 2013 6:56 AM in response to Basexperience
    Level 7 (30,919 points)
    Mac OS X
    Dec 28, 2013 6:56 AM in response to Basexperience

    Has the apple ordering system been compromised?

     

    The chances of that are very small. This issue is almost certainly not due to some breach at Apple. Obviously, I can't say that's impossible, but it's unlikely. Those waiting for Apple to provide more information are not likely to be satisfied. Apple is very close-mouthed, and is unlikely to make any kind of public statement about this unless it does turn out that there was a breach. They also never make any kind of public statements here, at all, period.

     

    As to what's going on, it certainly seems that there may be an attack of large-ish scale going on. However, unless someone posts additional details, rather than simple "me too" posts, no answers will likely ever be found.

     

    Everyone has pointed the finger at Taiwan, but nobody has said exactly why. I'm curious what is telling folks that stuff is being downloaded in Taiwan. Are you all getting e-mail messages that look like this:

     

    Screen Shot 2013-12-28 at 9.17.30 AM.png

     

    If so, does it say in the message somewhere that the app was downloaded in Taiwan? As you can see from the legit message from Apple above, the location is not information that is typically given... but perhaps the e-mail gives additional location information if the download comes from a different country?

     

    As to the continuing question of how this is happening, many of you are making the erroneous assumption that an Apple ID that isn't used much should be hack-proof. This is not the case. I've mentioned previously a number ways that Apple IDs can get hacked.

     

    In the case of what appears to be a larger-scale attack like this, there are a couple specific possibilities. One is that some other host linked to these Apple IDs has been compromised. You should have some third-party e-mail address set up as a rescue e-mail address. If that e-mail address has been compromised, an attacker could reset your password to gain access, then cover up their tracks by deleting the rescue e-mail. It's possible that an entire host has been compromised somewhere. What e-mail host is everyone here using?

     

    Another possibility is brute-force attack with randomly-generated Apple IDs. Are all of you using me.com or icloud.com Apple IDs? If so, the attackers may have found a way to identify valid Apple IDs and are randomly testing all possible xxxxxx@icloud.com IDs. Once they've found valid ones, a brute-force attack could gain access. I know that some folks have said they had strong passwords, but often what appears to be a strong password really isn't. There are common patterns that hackers can attack to brute-force crack some kinds of "strong" passwords. See:

     

    http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hac kers-crack-16-character-passwords-hour.html

     

    Another possibility is that you're using the same password for both your Apple ID and some other site, and that other site has been compromised. It will likely be difficult to determine any commonality there, unless news of some site being compromised appears sometime soon. If you're using the same password on any other site, though, that's not wise, and you should be sure to use different passwords for every site.

     

    Ultimately, though, the "how" isn't very important here. What's important is how you respond to ensure it doesn't happen again. Everyone responding here needs to take the following steps:

     

    • If you have used your Apple ID on a Windows machine, scan it for malware using a good scanner.
    • If you are using an insecure wireless network (ie, one that does not require a password to join), stop and find a secure network.
      • If the network is your home network, secure it immediately with WPA2 encryption and a decent password
    • Change your Apple ID password
      • Choose a password that you don't use for anything else
    • Change your rescue e-mail account password
      • Again, choose a password that you don't use for anything else
    • Enable two-factor authentication on your Apple ID (http://support.apple.com/kb/ht5570)
    • Change your password on any online account that used the same password as either of the passwords you just changed

     

    Note that using a long and truly random password is the most secure, but to do so on all your online accounts, you will probably want to have some kind of password manager. I find 1Password to be good, but I'm sure there are others that will function equally well, perhaps even better.

  • by Basexperience,

    Basexperience Basexperience Dec 28, 2013 8:48 AM in response to thomas_r.
    Level 1 (20 points)
    Dec 28, 2013 8:48 AM in response to thomas_r.

    When I mention ordering system, I should expand this to include a human vector compromise rather than a server exploit - its striking that many of the cases we're seeing reported on here have Taiwan in common, but then again if you wanted to disguise electronic purchases you'd probably try to exercise your compromised accounts from somewhere besides your home country.

     

    I've seen the email confirming download and it reads like your example, and includes an explicit mention that the download occurred in Taiwan.

     

    My wife doesn't use an iCloud address for her apple ID and passwords for that email address, the apple ID and the backup email account are all different and what I'd describe as "reasonably secure", including capitals, punctuation, numerals an ls non-words.

     

    And the "how" isn't important on this forum, I'll grant you - but it should be important to apple, if there is any kind of breach on their side (however remote this might be).

     

    Incidentally, good post: informative and with some good thought provoking points, particularly stuff like wifi networks used:

  • by dlowings,

    dlowings dlowings Dec 28, 2013 12:57 PM in response to cazyp
    Level 1 (0 points)
    Dec 28, 2013 12:57 PM in response to cazyp

    I've looked over this thread and others with the similar topic. I also found myself in the same situation as the rest, where a free app "show of hands" had been downloaded from Taiwan. As soon as I seen the email, and knowing I had not triggerd a download, I moved to a secure goverment PC and changed my password. I always move to a different PC on a secure network in order to avoid several hacking situations. By the time I got back to my other PC I noticed that my account had been locked out for security reasons "I suspect that THEY had triggered the lock by using the old password" .. Next I called apple support to get a feel for what the situation was.. The agent from apple who called me stated that she had several other calls with the same situation and the same application download. Knowing there was not much she could do I thanked her and ended the call. I have a lot of apple devices and found that the app had been downloaded automaticaly to one of my ipads. I removed it and also verified that it was showing up in my cloud as downloaded. By that time my account was locked out again, and I once again reset the password.. The one thing you can't do is stop, the hacker from "where ever" from trying to use the OLD password. NOW, I have not said anything different than all other targets but I would like to post a question to the group. How many people who have been targeted are using back to my mac "VNC" ? Do you have it enabled ? The reason I ask is I seen some very interesting things in my security log and im trying to understand if there is a connection ? I do not use standard passwords, so im a bit suprised that they were able to get my first password to trigger the download. For every account I have on the internet I use what is called a two factor password where the first factor of the password is associated with the account / website and the second factor of the password is somewhat static in nature. I don think this was a brute force attack, and I do not think the original attack was a phishing attack . I strongly doubt that the breach was on apples end but cant rule that out. I do suspect that it is more then likely there was an attack directed tward the endusers based on some common thread... Im just trying to figure out what that is at this point.  

  • by Basexperience,

    Basexperience Basexperience Dec 28, 2013 1:00 PM in response to dlowings
    Level 1 (20 points)
    Dec 28, 2013 1:00 PM in response to dlowings

    No "back to my mac" VNC. Windows only here.

     

    Also - no repeat lock-outs or requirement to change password again, all seems in order again now.

  • by dlowings,

    dlowings dlowings Dec 28, 2013 1:03 PM in response to Basexperience
    Level 1 (0 points)
    Dec 28, 2013 1:03 PM in response to Basexperience

    And no VNC to any of your windows machines ? Any port forwarding on 5900 ?

  • by Basexperience,

    Basexperience Basexperience Dec 28, 2013 1:06 PM in response to dlowings
    Level 1 (20 points)
    Dec 28, 2013 1:06 PM in response to dlowings

    No, VNC access is a red herring I suspect. Did you purchase anything from apple online (eg AppleCare, an iPad, etc) where you had to use your apple ID before your account was compromised?

  • by dlowings,

    dlowings dlowings Dec 28, 2013 1:13 PM in response to Basexperience
    Level 1 (0 points)
    Dec 28, 2013 1:13 PM in response to Basexperience

    The day prior, I used my ID to set up some time with an apple tech to have my 5s swapped out due to a faulty touch screen. I used a computer inside the apple store to set up the time slot .

  • by NM2011,

    NM2011 NM2011 Dec 28, 2013 1:26 PM in response to NorthArchRising
    Level 1 (0 points)
    Dec 28, 2013 1:26 PM in response to NorthArchRising

    Got my email today for a download of "Farm-Town". Following the instructions I was given, I changed my password and am now waiting the 3 days before being able to turn on the extra security. However I only use itunes( I do not own an ipad, iphone, or any mac devices) and have nothing listed in my purchase history. What is going on?

  • by NM2011,

    NM2011 NM2011 Dec 28, 2013 1:27 PM in response to thomas_r.
    Level 1 (0 points)
    Dec 28, 2013 1:27 PM in response to thomas_r.

    The email informs you the download was initiated in Tawian.

  • by Chrisrhea,

    Chrisrhea Chrisrhea Dec 28, 2013 3:15 PM in response to Basexperience
    Level 1 (0 points)
    Dec 28, 2013 3:15 PM in response to Basexperience

    Good question Baseexperience. I used my apple account with my first paid purchase on my Ipad just before my account was hacked. I canged my password and removed my Credit card details and have not had any further difficulties.

     

    To Thomas R the email I received looked exactly like yours only had the added information that the download was initiated from Taiwan as most people with this problem have already stated previously.

  • by Basexperience,

    Basexperience Basexperience Dec 28, 2013 3:36 PM in response to Chrisrhea
    Level 1 (20 points)
    Dec 28, 2013 3:36 PM in response to Chrisrhea

    My wife's laptop hasn't been attached to any public / open WiFi networks either (just her work one and our home network) and the Taiwan incident occurred shortly after purchase of an iPad and applecare through her Apple ID.

     

    This wasn't the first time she has purchased apple hardware using the ID, but is the first time she's used it to buy anything in quite some time (perhaps a couple of years).

     

    I've made representations to iTunes customer support asking them to confirm if they can escalate this inter-departmentally (rather than giving the usual "here is how to avoid phishing attacks" customer support generic handling responses, useful as they are). No answer yet, but will update if they get back with anything useful.

     

    Can anyone else post if they made any purchase with their Apple ID recently? No need for details, just if it was a rare event on their part (or their first) and then suddenly they found themselves having to reset their Apple ID passwords, etc.

  • by Basexperience,

    Basexperience Basexperience Dec 28, 2013 4:00 PM in response to Basexperience
    Level 1 (20 points)
    Dec 28, 2013 4:00 PM in response to Basexperience
  • by szurcher,

    szurcher szurcher Dec 28, 2013 4:24 PM in response to cazyp
    Level 1 (0 points)
    Dec 28, 2013 4:24 PM in response to cazyp

    I just got this problem today. Still from Taiwan. App was "The Panic Room: Outrage".  Changed password, in wait period for 2-step. My password was very strong, I don't give it out, etc. etc. On a Mac not Windows. I hope this gets addressed sooner than later

  • by r0pe,

    r0pe r0pe Dec 28, 2013 5:30 PM in response to cazyp
    Level 1 (0 points)
    Dec 28, 2013 5:30 PM in response to cazyp

    Also got an email today. Farm-Town was downloaded from Taiwan.

     

    I did use my appleid password on another site, and it may very well have been compromised by some hack of the other site, or Apple was breached. It may be the Taiwan hackers downloaded a huge database of emails and passwords and are botnetting a ton of mainstream sites. I do know for example Adobe creative cloud was breached earlier this year.

  • by DevenW,

    DevenW DevenW Dec 28, 2013 5:34 PM in response to cazyp
    Level 1 (0 points)
    Dec 28, 2013 5:34 PM in response to cazyp

    Just had this happen to me, Taiwan, downloaded The Panic Room: Outrage. I haven't used my Apple ID in about 4 years. The last time I used it was on a computer that hasn't been in use in about 2 years. This is definitely something on Apple's side.

first Previous Page 4 of 8 last Next