Apple Account Compromised?

[mrt209]

Earlier today I was working on my mac and a notification popped up saying "AppleCare would like to view your screen." Since I had not requested help or anything i clicked decline. The message kept appearing for 5-6 times more or so, each time I clicked decline.

A couple of minutes later I got an email saying my phone number had been removed from VoicePass. So I logged into my support profile and my phone number was indeed gone, replaced with another phone number. My address had also been changed. I tried to delete the phone number and re-add my phone number but it wouldn't let me.

Has my account been compromised?

I tried to contact apple but I am unable to do so (says offices are closed), and the first call I could schedule online is on Sunday.


Thanks.

 

[esf215]

Change your password and sign up for 2FA

 

[mrt209]

Changed password and have used 2FA since they introduced it.

 

[M. Gustave]

Clicking anywhere on that message was probably a bad idea.

 

[akash.nu]

I don't know how you guys get into such situation. I've never had issues like this in my life. Never ever been prompted ****. I just close the windows when random web pop up appears. Or just use a pop up blocker.

 

[Floris]

Go to https://appleid.apple.com/account/manage in a trusted browser, make sure the certificate of the web site is not only green, but also valid and owned by Apple and not Symantec or NaughtyRussia.

Use a long and strong, unique password. And check under security > trusted devices that only your devices are listed.
Check the recovery email addresses listed. Remove the ones you do not have access to or aren't yours. And change the password on the email accounts that are yours and are listed there.

Go to the security questions and reset them.

Check whatever address, name, phone, etc is listed that isn't yours and if there is a way to verify yourself, use those.

Once you feel you are a little bit more in control, do it all once more. Go in, change the pass first, go back in and change the security questions. And double check any data. Keep a record of everything in case you forget to write something down. Any info that isn't yours, the phone numbers etc, take screenshots of those or otherwise take note.

Consider using a password manager like 1password to generate and manage your strong and unique long passwords.

If you used a pass that is used elsewhere, perhaps that how they got in. About half the Internet with databases from 2012 to current have been shared recently and old or not unique passwords are easy to check and Apple is an obvious target.

When you contact Apple, tell them what ISP or IP range you're on and ask them to verify that strange unknown - not matching IPs are used on icloud, appleid, apple store, app store, etc. And maybe they can make an effort and find any fraud you haven't found yet.

If they've added their phone, quickly in another tab or device load up find my phone and see if you can get a gps location for the person doing it. Even if they use a vpn etc to get into iCloud, nic spoofing on their iPhone is a lot harder, jsut turning on vpn doesn't do the trick. Might help the police in the investigation if you decide in the future to persue it

Check your apple mail too, the sent and trash and spam folder. If they did "lost my pass" on other sites, your iCloud has Mail there. And they can get in other accounts you own. As a precaution, just change the details on your top10 sites you frequent.

iCloud also has a settings app in the browser with an option at the bottom 'sign out from all other browsers'.

Best of luck, I hope you can contact Apple soon to get help from their site and an explanation on how they were able to do a remote apple support thingy etc.

 

[mrt209]

I don't know how you guys get into such situation. I've never had issues like this in my life. Never ever been prompted ****. I just close the windows when random web pop up appears. Or just use a pop up blocker.

I closed the window... the only way to do that is to click decline. And you didn't read my first post, it was a notification not a pop up so I don't how a pop up blocker would have helped.
[doublepost=1474115629][/doublepost]

Go to https://appleid.apple.com/account/manage in a trusted browser, make sure the certificate of the web site is not only green, but also valid and owned by Apple and not Symantec or NaughtyRussia.

Use a long and strong, unique password. And check under security > trusted devices that only your devices are listed.
Check the recovery email addresses listed. Remove the ones you do not have access to or aren't yours. And change the password on the email accounts that are yours and are listed there.

Go to the security questions and reset them.

Check whatever address, name, phone, etc is listed that isn't yours and if there is a way to verify yourself, use those.

Once you feel you are a little bit more in control, do it all once more. Go in, change the pass first, go back in and change the security questions. And double check any data. Keep a record of everything in case you forget to write something down. Any info that isn't yours, the phone numbers etc, take screenshots of those or otherwise take note.

Consider using a password manager like 1password to generate and manage your strong and unique long passwords.

If you used a pass that is used elsewhere, perhaps that how they got in. About half the Internet with databases from 2012 to current have been shared recently and old or not unique passwords are easy to check and Apple is an obvious target.

When you contact Apple, tell them what ISP or IP range you're on and ask them to verify that strange unknown - not matching IPs are used on icloud, appleid, apple store, app store, etc. And maybe they can make an effort and find any fraud you haven't found yet.

If they've added their phone, quickly in another tab or device load up find my phone and see if you can get a gps location for the person doing it. Even if they use a vpn etc to get into iCloud, nic spoofing on their iPhone is a lot harder, jsut turning on vpn doesn't do the trick. Might help the police in the investigation if you decide in the future to persue it

Check your apple mail too, the sent and trash and spam folder. If they did "lost my pass" on other sites, your iCloud has Mail there. And they can get in other accounts you own. As a precaution, just change the details on your top10 sites you frequent.

iCloud also has a settings app in the browser with an option at the bottom 'sign out from all other browsers'.

Best of luck, I hope you can contact Apple soon to get help from their site and an explanation on how they were able to do a remote apple support thingy etc.

Thanks, I use 1Password and never use the same password for any sites. It seems like my account got mixed up with another persons apple account. Going to call in a few hours when apple support is available and try to figure out what happened.

 

[Floris]

Best of luck

 

[LewisChapman]

Any update on this? Assuming it all went well.

 

[mrt209]

They said they were going to investigate. At first thought I was hacked but have two-factor authorization and also found no malware on my mac so they're not sure what happened. I was able to to verify my info with the person on the phone which allowed me to change back the phone number and mailing address.