Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

j-a-x

macrumors 68000
Original poster
Apr 15, 2005
1,566
285
Houston, Texas
When I'm surfing on my laptop, the mailbird app is checking mail in the background. I don't have to actively be using icloud services for 3rd party app to make those requests. just 2 cents.

I authenticated the Spark mail app but it used an individual app password and I'm pretty sure it doesn't generate login request notifications every time. I need to approve every time it connects. It only generated one request and once I authenticated it it stopped generating login requests. If it did generate requests every time, it wouldn't be able to connect because I always deny the random login requests I don't recognize.
 

jetsam

macrumors 6502a
Jul 28, 2015
980
759
At this point, it seems highly probable that at least one of your computers has a Trojan with a keylogger running. That is the only explanation as to how a long random password could be stolen on a regular basis.

I believe you said that you have a work PC that your company IT staff supposedly keep secure. Despite that, I would consider that the likeliest place to be running a Trojan. Are you allowed to download programs onto your work PC? If so, then the first thing I would suggest is downloading and running the free version of malwarebytes (www.malwarebytes.com).

That isn't to say that it is necessarily the Windows PC that has the issue. I just think that is the weakest link.
 

j-a-x

macrumors 68000
Original poster
Apr 15, 2005
1,566
285
Houston, Texas
At this point, it seems highly probable that at least one of your computers has a Trojan with a keylogger running. That is the only explanation as to how a long random password could be stolen on a regular basis.

I believe you said that you have a work PC that your company IT staff supposedly keep secure. Despite that, I would consider that the likeliest place to be running a Trojan. Are you allowed to download programs onto your work PC? If so, then the first thing I would suggest is downloading and running the free version of malwarebytes (www.malwarebytes.com).

That isn't to say that it is necessarily the Windows PC that has the issue. I just think that is the weakest link.

I ran virus scanners on both this week and neither came up with anything. I don't have a lot of 3rd party software on my work PC but it is more suspect than my Mac, I agree with that. Not sure what to do next but I will change my iCloud password again today.
 

jetsam

macrumors 6502a
Jul 28, 2015
980
759
I ran virus scanners on both this week and neither came up with anything. I don't have a lot of 3rd party software on my work PC but it is more suspect than my Mac, I agree with that. Not sure what to do next but I will change my iCloud password again today.
Not to be overly insistent, but I'd still run malwarebytes on the Windows PC - preferably in safe mode.
 

jetsam

macrumors 6502a
Jul 28, 2015
980
759
Then it's probably not your PC. That makes the Mac the next target, and I don't know enough about Macs to help.
 

perezr10

macrumors 68020
Jan 12, 2014
2,014
1,486
Monroe, Louisiana
Most corporate issued laptops have pretty robust surveillance. It could be some kind of automated investigation by the IT department to ascertain if outside websites are malicious. If you have your password set to autofill that would explain how they always know your password no matter how difficult or new it is.
 
  • Like
Reactions: cswifx

thomasareed

macrumors member
Aug 24, 2015
91
91
I've come in late on this topic, but from the sounds of it, AppFigures was to blame. This isn't an indication that someone has your password or that you have a keylogger installed on anything.

For future reference, though, you should NEVER give anyone access to your Apple ID! I know nothing at all about AppFigures - they may very well be perfectly legitimate. However, giving them access to your Apple ID gives them access to everything... your e-mail, your iCloud documents, the purchasing power of whatever credit card you have associated with the account, your developer certificates (which could be sold to a malware creator), etc.

Even if you only gave them access through a more limited account associated with your developer account, that still gives them more access to your data than an unknown third-party should have.
[doublepost=1485792014][/doublepost]

That's bad advice. Here's what a respected security expert has to say on the matter:

https://www.grahamcluley.com/no-disabling-anti-virus-software-not-make-security-sense/
 

steve62388

macrumors 68040
Apr 23, 2013
3,100
1,962
That's bad advice. Here's what a respected security expert has to say on the matter:

https://www.grahamcluley.com/no-disabling-anti-virus-software-not-make-security-sense/

In terms of Macs I have seen untold more problems posted on this forum caused by anti-virus software than viruses themselves. It's almost (totally?) impossible to find a post here where somebody had contracted a virus as opposed to thought they had a virus and it turned out to be something else. The cure is worse than the ailment.
 

cswifx

Suspended
Dec 15, 2016
563
180
In terms of Macs I have seen untold more problems posted on this forum caused by anti-virus software than viruses themselves. It's almost (totally?) impossible to find a post here where somebody had actually contracted a virus as opposed to thought they had a virus and it turned out to be something else. The cure is worse than the ailment.

I've had a number of my mates getting adware on their Mac without them even knowing, and the worst part is that all of them had different kinds of adware. One even had a self replicating script to protect its execution. It's safe to assume that you still need some kind of protection, whether in your browser or in your operating system, whatever you're using.
 

j-a-x

macrumors 68000
Original poster
Apr 15, 2005
1,566
285
Houston, Texas
I've come in late on this topic, but from the sounds of it, AppFigures was to blame. This isn't an indication that someone has your password or that you have a keylogger installed on anything.

For future reference, though, you should NEVER give anyone access to your Apple ID! I know nothing at all about AppFigures - they may very well be perfectly legitimate. However, giving them access to your Apple ID gives them access to everything... your e-mail, your iCloud documents, the purchasing power of whatever credit card you have associated with the account, your developer certificates (which could be sold to a malware creator), etc.

Even if you only gave them access through a more limited account associated with your developer account, that still gives them more access to your data than an unknown third-party should have.
[doublepost=1485792014][/doublepost]

That's bad advice. Here's what a respected security expert has to say on the matter:

https://www.grahamcluley.com/no-disabling-anti-virus-software-not-make-security-sense/

I got two more unauthorized login attempts this morning (LA and Kansas City). I have since changed my password.

I think that App Figures authorizes my account in a way that it shouldn't generate login attempts since I need to authorize each login only once. Maybe there's somewhat of a security risk associated with using that type of service but I think they are a legit company. Maybe the best approach would be to crate a new Apple ID, give it access to my apple Developer account as a team member, and then give that login to App Figures. They should have access to all of my app sales information but not my email/icloud etc.
[doublepost=1485793219][/doublepost]
In terms of Macs I have seen untold more problems posted on this forum caused by anti-virus software than viruses themselves. It's almost (totally?) impossible to find a post here where somebody had contracted a virus as opposed to thought they had a virus and it turned out to be something else. The cure is worse than the ailment.

Yeah I'm a software developer, I am very cautious about what I install on my Mac and what i use it for, and I'm pretty sure there are no viruses or malware on it. I've done a virus scan just to be sure which came out negative. I really don't think this is the issue. Now my parents, I might worry about them having sketchy 3rd party software installed on their macs, but that's another story.
 

steve62388

macrumors 68040
Apr 23, 2013
3,100
1,962
I've had a number of my mates getting adware on their Mac without them even knowing, and the worst part is that all of them had different kinds of adware. One even had a self replicating script to protect its execution. It's safe to assume that you still need some kind of protection, whether in your browser or in your operating system, whatever you're using.

I'm very much for effective ad-blockers from reputable companies if just to stop the nasty beasties from tracking your every move. I'm also a proponent of Malwarebytes run on demand software. But I class packages from the big suppliers that install all sorts of hooks into the OS and are always 'on' as a different problem. These are the ones that cause issues with other software and systems.
[doublepost=1485793986][/doublepost]
Now my parents, I might worry about them having sketchy 3rd party software installed on their macs, but that's another story.

+1 for Gatekeeper.
 

cswifx

Suspended
Dec 15, 2016
563
180
I think that App Figures authorizes my account in a way that it shouldn't generate login attempts since I need to authorize each login only once. Maybe there's somewhat of a security risk associated with using that type of service but I think they are a legit company.

If the correct way of authorization is given, a one-time token type authentication should be used and the website shouldn't be storing your credentials. If they do store your credentials though, that would trigger the 2FA every time they tried to login. It's highly unlikely that any legitimate service using Apple's proper login protocols would cause 2FA triggers.
 

lolkthxbai

macrumors 65816
May 7, 2011
1,426
489
I got two more unauthorized login attempts this morning (LA and Kansas City). I have since changed my password.

I think that App Figures authorizes my account in a way that it shouldn't generate login attempts since I need to authorize each login only once. Maybe there's somewhat of a security risk associated with using that type of service but I think they are a legit company. Maybe the best approach would be to crate a new Apple ID, give it access to my apple Developer account as a team member, and then give that login to App Figures. They should have access to all of my app sales information but not my email/icloud etc.
[doublepost=1485793219][/doublepost]

Yeah I'm a software developer, I am very cautious about what I install on my Mac and what i use it for, and I'm pretty sure there are no viruses or malware on it. I've done a virus scan just to be sure which came out negative. I really don't think this is the issue. Now my parents, I might worry about them having sketchy 3rd party software installed on their macs, but that's another story.
You should log into appleid.apple.com and generate an app-specific password for App Figures. It's much more secure than giving them your actual Apple ID password
 

thomasareed

macrumors member
Aug 24, 2015
91
91
I got two more unauthorized login attempts this morning (LA and Kansas City). I have since changed my password.

If it's continuing to happen after closing down your AppFigures account, then that's not the culprit. Most likely, at this point, the issue is being caused by someone trying to reset your password, which will trigger a 2FA or 2SV code request without the person in question needing to know your password. See:

https://support.apple.com/en-us/HT201487

On the plus side, there's really no danger unless the person manages to guess the code, which is quite unlikely since the code changes every time. (It's even less likely if you have two-factor authorization enabled, which uses 6-digit codes, instead of two-step verification, which uses 4-digit codes.)

On the downside, there's really no way to stop the notifications until the person trying to reset gets tired of trying and gives up.
 

j-a-x

macrumors 68000
Original poster
Apr 15, 2005
1,566
285
Houston, Texas
I changed my password and haven't had an attempt since. I just can't fathom how somebody managed to steal/break my old password as it was very long and secure with case changes, numbers, symbols etc. Bizzare, but problem solved.
 
  • Like
Reactions: lolkthxbai

Hermes Monster

macrumors 65816
May 4, 2010
1,204
552
UK
I changed my password and haven't had an attempt since. I just can't fathom how somebody managed to steal/break my old password as it was very long and secure with case changes, numbers, symbols etc. Bizzare, but problem solved.

I've been having the same issue since turning on 2FA yesterday and I think it's actually my wife causing the alerts. We share my apple id for iTunes (naughty, I know) but she's also on my family plan.

My alerts always say it's someone in London (which is about 200 miles away from me) trying to access my id - adding detail of which device they're trying to sign in on would help immensely! having changed my password and still receiving the alerts does make me think it's my wife though, as she's generally annoyed that she can't download apps after I've made changes!
 

simonmet

Cancelled
Sep 9, 2012
2,666
3,664
Sydney
That's bad advice. Here's what a respected security expert has to say on the matter:

https://www.grahamcluley.com/no-disabling-anti-virus-software-not-make-security-sense/

If you have Windows 10 it's good advice. If you have Windows 7 or earlier it's probably not. With Windows 8 or 8.1 exercise caution but it's moderately good advice.

There are security researches on both sides but it's an indisputable fact that most of the popular antivirus products have had many serious security flaws and behave themselves like spammy adware much of the time. Seriously, just Google "antivirus security flaws" or the widely publicised catastrophic Symantec flaws from last year.

The balance of opinion has seemingly shifted against antivirus vendors in recent years as OS developers themselves have been taking security increasingly seriously in their products. A move demanded by users who are increasingly informed and concerned about online threats. So who do you trust more? The OS maker or a third-party company?

Security researchers here support the original post but there are plenty of others:

http://www.tomsguide.com/us/antivirus-flaws-bsidessf,news-22331.html
http://www.pcworld.com/article/2459...dled-with-security-flaws-researcher-says.html
http://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/

Having extensively used Windows 7, 8, 8.1, 10 and 10.1 I can say with some confidence that Microsoft has been serious about cleaning up Windows' (formerly terrible) reputation regarding viruses and malware. I stopped using antivirus with Windows 8 and I wouldn't dream of exposing my system to a third-party virus scanner in Windows 10.

I saw an article on Ars I believe that compared all the products and default Windows Defender (in W10 I believe) performed as well as many commercial packages and even better than a few, without exposing the PC to additional threats. Sorry I can't find the link right now.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.