Serious Flaw/Weakness in AppleID Account Recovery in the Event of a Hack

[maxxodd]

My iCloud account was hacked today despite me having 2FA turned on. I never received a pop-up on any of my devices with a code. I only received emails initially that my password had been changed followed by an email that a new trusted phone number had been added followed by an email saying my old phone number had been removed. These were all in rapid succession. I then received a pop up asking to change the email associated with the account. I clicked "No".

I then immediately tried to log into and change my password to no avail as my password was not accepted and I did not know the new phone number that was associated with my account. One problem with 2FA is that even thought he hacker wasn't able to remove the email associated with the account (I don't know why this was different than the phone number or password), I can't use the email associated with the account to do anything. I need the "new" phone number that the hacker associated with it.

I then called iCloud account support and unbelievably, they really can't help someone in this situation! They are unable to lock the account. They are unable to change the trusted number back to the one that it has been for years. They are unable to reset the password. After spending about an hour on the phone, their resolution was to send an email to their "engineers" and hopefully they would hear back in a day or two. Meanwhile, I get emails saying that my iTunes account has a new id, then that it is associate with a family account, then that my storage is full, etc. I call them back up and they say they are able to call iTunes on their side and disable further purchasing, but they still can't help me other than waiting for the engineers. Meanwhile the hacker has access to all my data (and I do not). This seems utterly ridiculous to me. Apple needs to have a way to authenticate the user (how about the phone number that had been associated with the account for years or sending an email to the email address that the hacker was not able to change. There needs to be some form of authentication that doesn't involve data that the user can change instantly) and they need to be able to at the very least disable the account while they sort things out. Oh yea, the "senior supervisor" who I spoke with also asks me if they hacker had remotely wiped any of my devices via "find my iPhone". Not yet, but I suppose they could, so I have that to look forward to. I think apple has a big problem with their 2FA as the hacker did not have physical control of any of my trusted devices.

I am trying to bring to light serious issues with Apple's ability to handle an identity breach. They need to have a way to resolve this that doesn't involve letting the hacker have days (at the least) of access to the person's information even after discovered. They need to have a way to authenticate the real user who still has physical access to all their devices. Send me a text to my original phone. Send me an email to my email associated with the account. Ask me security questions. Something other than what phone number is associated with the account when the hacker just changed that 5 minutes ago once they gained access.

Update: After speaking to two other senior advisors and Apple Engineers, there is no current way to recover the account in this situation. The hacker will remain in control of my photos, contacts, calendar, iTunes and App Store purchases. I have been advised to report this "bug" to apple.com/feedback

 

[chabig]

I tend to agree with Apple that this post isn't constructive. Your claims ought to be viewed with suspicion, because none of what claim happened is supposed to be possible. Your story sounds fishy. Naturally I can't say it didn't happen exactly as you say, but also there is no particular reason you are to be believed. As they say, extraordinary claims require extraordinary evidence.

Maybe you were phished. Have you been to https://appleid.apple.com/

 

[maxxodd]

I tend to agree with Apple that this post isn't constructive. Your claims ought to be viewed with suspicion, because none of what claim happened is supposed to be possible. Your story sounds fishy. Naturally I can't say it didn't happen exactly as you say, but also there is no particular reason you are to be believed. As they say, extraordinary claims require extraordinary evidence.

Maybe you were phished. Have you been to https://appleid.apple.com/

I'm not sure what sounds fishy to you. I can't say exactly how this happened because I don't know for certain. I explained the events as they happened. I did not embellish. Maybe there is an issue with 2FA, maybe there isn't, but the usual answer for potential security issues isn't to burry your head in the sand or be dismissive.

My primary point is that Apple should be more equipped to resolve this issue and return control of the account to me provided I can prove my identity. This really shouldn't be that difficult. Like I said, relying a single piece of data that a user can change in an instant is not the best authentication method. How about having a unique set of codes like Firevault? How about using credit card info or purchases that are associated with ApplePay? How about being able to reset the phone to the one previously used or the email, etc. How about asking for device SNs or MEIDs that are associated with the account? How about security questions? Heck, I'd even be OK with going into an Apple Store and showing a passport or other ID and paying a fee for the the service.

The link you posted is the one I initially tried. It requires you to know the phone number that is associated with the account to reset the password. You cannot use any other means of resetting the password if 2FA is turned on. Thus, when the hacker changed the phone number associated with the account, they removed the only means of changing the password and recovering the account.

 

[chabig]

My primary point is that Apple should be more equipped to resolve this issue and return control of the account to me provided I can prove my identity.

I agree that's the key issue. It does seem like there ought to be ways to accomplish that.

 

[maxxodd]

I've read that there should be an option for using a trusted device to reset the password on the screen shown below, but as you can see, there is no option. Maybe the hacker removed all my "trusted devices" from iCloud and thats why I don't have the option? It's all very frustrating.

[doublepost=1557859604][/doublepost]OK. So I just heard back from the Senior Technical Advisor and they explained to me that the engineers at Apple have no way to recovering my account. End of story. I really can't think of any other cloud company that would handle the situation like this.

 

[chabig]

What happens when you enter your phone number on that screen?

Also, may I suggest that you edit the title of your thread to something less 'judgmental'? Perhaps, "Help--I'm locked out of my iCloud account" would get more people to offer suggestions.

Also, do any of Apple's suggestions work: https://support.apple.com/en-us/HT204915#FAQ

 

[maxxodd]

What happens when you enter your phone number on that screen?

Also, may I suggest that you edit the title of your thread to something less 'judgmental'? Perhaps, "Help--I'm locked out of my iCloud account" would get more people to offer suggestions.

Also, do any of Apple's suggestions work: https://support.apple.com/en-us/HT204915#FAQ

It doesn't accept my phone number (it says its the wrong phone number). I don't know the one on the screen that ends in 54. Thats not my phone number.

Thank you for suggesting that page. Unfortunately, all roads lead back to needing the phone number associated with the account as the hacker removed all my trusted devices.

 

[mtngoatjoe]

It's hard to believe that 2FA failed. I think it's much more likely that someone you know has taken advantage of your trust. It's not possible to sign into https://appleid.apple.com without access to one of your devices. Someone figured out your credentials and then "borrowed" your iPhone to make a call. Or something like that. The point is, someone figured out your credentials, and then you gave them access to one of your devices. They would have only needed the device for 10 seconds or so (just long enough to get the verification code).

Or maybe you traded in (or gave away) an old device without wiping it clean.

As unlikely as all that is, it is far more likely than 2FA failing.

 

[nouveau_redneck]

@maxxodd did you have possession of all your devices attached to that account at all times while the initial emails were coming in? Have you ever shared your ID and password with anyone else or used them at other sites? Are they strong?

Are all your devices clean of malware or loggers of any type?

If all that checks out and you are certain that it was someone cracking your account and/or 2FA, then you should probably create a police report. If this leads to any type of identity issues, or loss of data/money, it may be helpful to have the report filed.

 

[maxxodd]

@maxxodd did you have possession of all your devices attached to that account at all times while the initial emails were coming in? Have you ever shared your ID and password with anyone else or used them at other sites? Are they strong?
y
Are all your devices clean of malware or loggers of any type?

If all that checks out and you are certain that it was someone cracking your account and/or 2FA, then you should probably create a police report. If this leads to any type of identity issues, or loss of data/money, it may be helpful to have the report filed.

I finally found how the hacker got in. I have probably 30 mac and idevices, but only 10 that were associated with this AppleID. I forgot about a headless mac mini that I have running time machine (encrypted) backups in a closet. I had an external port forwarded for VNC (stupid I know). They were able to log in to that computer (my password was random, but only 6 characters). They changed the computer password, but I was able to log into a different administrator's account and regain control of the computer. Thankfully, that computer didn't really have any useful info on it. Open on the desktop were Keychain, a web browser with PayPal, Ebay, some Chinese eBay like site and another financial page. I don't keep any log in info for things like that in keychain and have never even been to those sites on that computer. I also have 2FA (SMS thank goodness) for both. So I removed the forwarded port and will obviously only be VPNing into that site when I want to screen share from now on.

So, the breach was a weakness in my architecture. Having said that, I really don't like Apple's implementation of 2FA. Its convenient when you don't have your phone around, but have another device close and you need to authenticate, but I'd prefer old fashioned SMS to a single cell phone or device. I realize that the pop-ups for confirming changes to the account go away from devices once one clicks an option and thus it would be pretty easy for the hacker to quickly press "yes" or whatever and not have me see any pop up on my phone. I think this is also a weakness. I don't know how much I could have done about it anyway. It all happened within a minute with just emails to my phone as evidence of what was happening.

Unfortunately, knowing how this happened and mitigating further damage still doesn't help me regain control of the account. I need the phone number that the hacker put on the account to do anything. I've submitted feedback to apple per their engineer's suggestion, but I won't be holding my breath for a fix any time soon.

I also can't sign out of "find my phone" on my iPhone or iPads without the password meaning that the hacker could erase my devices at any time if they are so inclined. So I've got that going for me....

 

[nouveau_redneck]

I finally found how the hacker got in. I have probably 30 mac and idevices, but only 6 that were associated with this AppleID. I forgot about a headless mac mini that I have running time machine (encrypted) backups in a closet. I had an external port forwarded for VNC (stupid I know). They were able to log in to that computer (my password was random, but only 6 characters). They changed the computer password, but I was able to log into a different administrator's account and regain control of the computer. Thankfully, that computer didn't really have any useful info on it. Open on the desktop were Keychain, a web browser with PayPal, Ebay, some Chinese eBay like site and another financial page. I don't keep any log in info for things like that in keychain and have never even been to those sites on that computer. I also have 2FA (SMS thank goodness) for both. So I removed the forwarded port and will obviously only be VPNing into that site when I want to screen share from now on.

So, the breach was a weakness in my architecture. Having said that, I really don't like Apple's implementation of 2FA. Its convenient when you don't have your phone around, but have another device close and you need to authenticate, but I'd prefer old fashioned SMS to a single cell phone or device. I realize that the pop-ups for confirming changes to the account go away from devices once one clicks an option and thus it would be pretty easy for the hacker to quickly press "yes" or whatever and not have me see any pop up on my phone. I think this is also a weakness. I don't know how much I could have done about it anyway. It all happened within a minute with just emails to my phone as evidence of what was happening.

Unfortunately, knowing how this happened and mitigating further damage still doesn't help me regain control of the account. I need the phone number that the hacker put on the account to do anything. I've submitted feedback to apple per their engineer's suggestion, but I won't be holding my breath for a fix any time soon.

I also can't sign out of "find my phone" on my iPhone or iPads without the password meaning that the hacker could erase my devices at any time if they are so inclined. So I've got that going for me....

I'm sure that it is a relieve to know now how it happened so that you can take action. Hopefully the lost of whatever was in that account was not too critical.

 

[maxxodd]

So, while I'd like to just create a new AppleID and move on, thats not really possible. All my devices that I had been using this Apple ID on (6 mac minis, 1 MacBook pro, 2 iMacs, iPhone, iPad, Apple Watch) require the password to sign out which again, I don't have and have no way of getting. I understand this is a security feature to prevent stolen devices from being able to be used. But, now I get nag screens every minute or so (and often several in a row) asking me to sign in with my AppleID on every device). It makes the devices essentially unusable. Between that and the very real threat that my devices could be remotely locked or erased with apple's "Find my Mac" and "Find my Phone", and I've come to the conclusion that I will need to replace all the hardware locked into this AppleID.

As unsavory as it sounds for me, I don't think I have any recourse, but to sue Apple in small claims court for the replacement cost of the hardware which amounts to about $10,000 given that even the base Mac Mini now costs $800 and comes with a 128GB hard drive (really?). All my devices have at least a 512GB SSD and Apple likes to make upgrades a little steep.

 

[JepGambardella]

Things would be easier if Apple would have an option to verify your details in an Apple Store, via passport, so they can reset things. The things I've stored on iCloud makes my Apple ID not only an account to buy things, but it's also my complete (digital) life stored on there.

 

[MisterSavage]

So, the breach was a weakness in my architecture. Having said that, I really don't like Apple's implementation of 2FA. Its convenient when you don't have your phone around, but have another device close and you need to authenticate, but I'd prefer old fashioned SMS to a single cell phone or device.

SMS is a terrible thing to rely on for 2FA.

https://gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

 

[maxxodd]

SMS is a terrible thing to rely on for 2FA.

https://gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

Maybe. i don't know much about SMS hijacking, but the article explains that it requires hacking and social engineering to pull off meaning that someone has to give them critical information to make it work.

On the other hand, Apple's 2FA becomes one factor authentication if someone is able to guess your computer password and your computer is a trusted device. They can bypass your 2 factor authentication and reset your password. Just like they did to me. Thus, 2FA is not really 2FA in this instance. By just brute force cracking my computer password, they gained control of my AppleID.

I realize no system is perfect. I readily accept this. I also acknowledge that it probably would not have happened if I did not have a port forwarded to the computer for VNC (thats on me and the hacker). My only umbrage is Apple's inability to properly authenticate my identity once this happens and restore control of the account to me.

I was told that Apple's engineers have been stripped of the ability to reset the account to eliminate the risk of phishing (social engineering) and letting a hacker gain control of the account. Unfortunately, this means that they are unable to help in this situation.

 

[nouveau_redneck]

I'm going to jump in and add that I agree with previous statements that there should be a means of ownership to an Apple ID outside of device relationship, and tied to actual identity. One should be able to provide proof of ownership via valid government ID. Much like a personal relationship one has with their financial accounts.

I don't use Apple Pay myself so have no knowledge of how Apple treats account recovery with respect to it. Is it the same as Apple ID recovery, or is it identity driven?

 

[zorinlynx]

Things would be easier if Apple would have an option to verify your details in an Apple Store, via passport, so they can reset things. The things I've stored on iCloud makes my Apple ID not only an account to buy things, but it's also my complete (digital) life stored on there.

I have a feeling that the reason they make it so difficult or impossible to do this is to combat social engineering, bribery, etc.

Imagine if someone offered an Apple Store employee a million dollars to reset a celebrity's Apple ID, so they can then log in and steal their personal data. It really sucks that Apple cannot restore ownership of OP's Apple ID, but this may be a possible reason why.

EDIT: I just OP actually said that in another response above. Now I have egg on my face....

I should also add that it's a bad idea to put your Apple ID password in your Keychain. Let that be one of the few passwords you actually keep in your head. Once your Apple ID is in Keychain a hacker has everything they need to compromise your account if they gain control of one of your devices.

 

[maxxodd]

I have a feeling that the reason they make it so difficult or impossible to do this is to combat social engineering, bribery, etc.

Imagine if someone offered an Apple Store employee a million dollars to reset a celebrity's Apple ID, so they can then log in and steal their personal data. It really sucks that Apple cannot restore ownership of OP's Apple ID, but this may be a possible reason why.

EDIT: I just OP actually said that in another response above. Now I have egg on my face....

I should also add that it's a bad idea to put your Apple ID password in your Keychain. Let that be one of the few passwords you actually keep in your head. Once your Apple ID is in Keychain a hacker has everything they need to compromise your account if they gain control of one of your devices.

They don't need your apple ID password if the device they get control of is a "trusted device". They can just use that device to reset your password and then do what they did to me (change the associated phone number and remove your trusted devices). And thus 2FA in this situation really only requires one factor - your trusted device's password.

So, my latest wonderful finding is that a process "coredutd" starts using up over 100% of a core CPU in the event you have not entered your iCloud password. I can force quit the process, but it just restarts itself and hogs up resources.

[doublepost=1558047406][/doublepost]

I'm going to jump in and add that I agree with previous statements that there should be a means of ownership to an Apple ID outside of device relationship, and tied to actual identity. One should be able to provide proof of ownership via valid government ID. Much like a personal relationship one has with their financial accounts.

I don't use Apple Pay myself so have no knowledge of how Apple treats account recovery with respect to it. Is it the same as Apple ID recovery, or is it identity driven?

I'm not really sure about Apple Pay. I use it, but only on my phone and Apple Watch. The advisors said they would remove all my payment information from the account and I don't have any new charges on the credit cards associated with Apple Pay, so it either worked or the Hacker didn't try to use Apple Pay. I guess Apple doesn't want to be on the hook for fraudulent purchases or raise the ire of the credit card banks and thus will remove these from the account.

 

[LewisChapman]

Having no contingency plan for account lockouts because people can't be trusted is like a store not allowing staff to handle cash for fear of them pocketing it. Measures such as staged approvals (supervisor and/or manager approval required) and security questions from customer being required to reset would be a good start.

An identity approval method is a good idea and should be implemented now that our Apple ID's contain so much of our digital lives.

Very sorry to hear you have lost access to your Apple account @maxxodd, cyber attacks feel so sinister when they are this close to home and it's ridiculous you are now stuck in this situation where you can't even start afresh with your devices without the Apple ID password.

I would be pushing back at Apple for support if I was in your situation, their response is simply not good enough IMO.

 

[LarsN.]

Sad situation. The severeness of the impact could be lowered by apple in some ways. I tend to agree that there should be a solution to regain access to the devices. Otherwise ownership wouldn’t be the correct term for Apple devices anymore...

 

[maxxodd]

Well, an update for anyone else who runs into this issue. Everyone in tech support for Apple has been very nice (with the exception of the very first agent I spoke with), but there definitely is an issue of not being knowledgable about this topic and not being able to escalate it to anyone who does. So, after informing a sympathetic level 2 agent of my situation and need to recover the cost of device replacement by taking Apple to small claims court and needing to make a "demand" for replacement or the money to replace before I could file my claim, they transferred me to their "customer relations department". Through a series of conversations, they connected me with a different level 2 agent who explained how to reset the iCloud account (and log the original one out) with a single line of terminal code on each of my mac devices (I'm a little embarrassed that I couldn't find this with a quick google search initially). This did the trick in about 1 second for each computer and doesn't erase any data except for the iCloud account.

For my iOS devices, I was told that they would arrange for me to go to an Apple store and I would simply need to show proof of purchase for each device along with an ID and they would remove the activation lock (this does completely wipe the device). I did this for 4 devices (2 iPhones, 1 iPad and one apple watch). Unfortunately, they had to do 2 on one day and 2 on a subsequent day. Each day, I was at the genius bar next to a couple people there for the same reason. So, I asked the genius bar tech (both were super nice and sympathetic) about this and that this was very common (not the hacking part per se, but removal of the activation lock and AppleID for various reasons). You just need proof of purchase and your ID. If you bought your iPhone at an apple store, they can even look it up and print out your receipt for you.

In the end, I don't think it's an entirely unreasonable outcome (losing my AppleID and all iCloud data and purchases), but being able to start afresh with a new Apple ID. The only last bid that I'd wish Apple would do would be to nuke the old AppleID and data. I don't love the though there's someone out there with all my photos, calendar data, and contacts, but it could be a lot worse.

 

[zorinlynx]

One thing I don't understand is why there isn't someone high enough up the chain that you can talk to, in order to get your account back. You have plenty of proof that the account is yours; I mean, you have:

- A number of devices that were all associated with that account
- Access to the billing method(s) used by the account
- Real life identification showing that it's you
- A history of purchasing those Apple devices and logging them into your account

And probably much more. I can totally understand making it hard to restore ownership of an account, but there is likely so much connecting you to this account that I can't see why SOMEONE can't help you.

It's a bit disturbing, really, and helps ensure my continued distrust in "the cloud".

 

[LarsN.]

I have thought about the same and the best I have is that Apple simply can’t. They have locked out themselves as well to not risk the same situation where government asks for access or details and that means they cannot do anything for no one.

 

[LewisChapman]

One thing I don't understand is why there isn't someone high enough up the chain that you can talk to, in order to get your account back. You have plenty of proof that the account is yours; I mean, you have:

- A number of devices that were all associated with that account
- Access to the billing method(s) used by the account
- Real life identification showing that it's you
- A history of purchasing those Apple devices and logging them into your account

And probably much more. I can totally understand making it hard to restore ownership of an account, but there is likely so much connecting you to this account that I can't see why SOMEONE can't help you.

It's a bit disturbing, really, and helps ensure my continued distrust in "the cloud".

Completely agree - part of me thinks there probably is the ability for certain (VIP) customers but they don't want to get into the business of Apple ID resets/don't want people to think that Apple have a backdoor.

 

[LarsN.]

Completely agree - part of me thinks there probably is the ability for certain (VIP) customers but they don't want to get into the business of Apple ID resets/don't want people to think that Apple have a backdoor.

This. But if they didn’t opened the door for the feds who could be more important?