I got this email today: I haven't attempted a password reset. It's not unusual for people to try to steal my online accounts, of course (happens pretty much all the time), but I was amazed by Apple's laid-back attitude. Most likely, someone just mistyped their address? Do they not know how account theft and online fraud work? That they'd hand-wave a password reset attempt without so much as an "if you didn't request this..." conditional thrown in is ridiculously lax. Or am I over-reacting? Maybe identity theft is an urban legend, or just something that never happens to Apple customers.
Valve did something similar when steamguard first came out. The email with the validation code said if you didn't request this just ignore it when it should've said if you didn't request this then someone knows your username and password, change it now!
I don't get it. Someone tried to reset your password. Without access to your email account there's not much they can do anyway. Anyone who is trying to guess your password or brute force it (which I rekcon is unlikey) wouldn't trigger the reset password option (on purpose). I don't really see anything cavalier or worth worrying about. What am I missing here
I think the point is the last line of defence is the email account. It is not uncommon that people tend to use the same user name and password for different accounts.
If you're going to steal someone's identity, your first order of business is to get access to their email account. From there, you perform password resets on all their other financially sensitive accounts with the possibility of saved payment methods (Apple, Amazon, Paypal, Steam, Origin, Ebuyer) and then modify the security information on those accounts so that, once they realise what's happened and reclaim their email account, you've still got the ability to go back into those accounts and change their passwords again, completely taking control away from them. The keyring for all of it is the email account. Get that, and you've got them by the balls. In this case, my email account hadn't been compromised and no harm was done, but that's not the point: as far as Apple are concerned, it might've been (they have no idea who's logging into my email account), and treating a password request as innocuous by default is foolish because it would be the first warning sign if somebody were attempting this kind of fraud. TL;DR: email-based password reset requests are how people get ****ed. Apple should know this and should warn people that it may be going on so that they can respond quickly before the problem escalates (the absolutely mandatory first action is to change the password and security details on your email account so that more online accounts can't be compromised.)
Are you sure the email is genuine, and not a phishing email? I'm assuming as you've scrubbed out your ID at the top, that it was addressed to you specifically, and the links are indeed Apple links - just making sure...
Unfortunately so, yep. Everyone else seems to have this business down, which is why this surprised me - this is the first time I've seen a company not take unrequested password resets seriously.
Got my Origin account stolen... the guy did NOT have access to my email at any point, but succeeded in changing my password anyway. I only noticed after being unable to log in and checking my email, where I had received notifications that my password had been changed, but no email asking to confirm the password change. I then spent a good part of the day on the phone to EA in Denmark, eventually sending them pictures of my product key, having my account returned to me, only to share my battlelog with the hacker. That's right, I was logged into battlelog WITH the hacker, who proceeded to provoke me in russian, and saying stuff to my friend who I was having a conversation with in the same chat box I was using to talk with him. On the phone with EA again and they said they couldn't do anything for me, I'd just have to wait until he logged out That whole thing freaked me out about Origin, so so bad.
Ah your pointing to the fact that its a sign of a possible email account hack rather than anything to do with how they secure their own accounts. Sent from my GT-I9100 using Tapatalk 4 Beta
I had the same email today, I thought it was a bit odd too. Usually theres a link to say it wasnt you. Also its definitely apple as its recognised them in my contacts.
And the point of that link is ? The only thing i can think of is invalidating the request - which is kinda pointless anyway. They will not notify the police, they will not search for the man hiding behind the IP which requested the password, they can't ban the IP address (large part of users are either on dynamic IP's or behind huge NATs like mobile networks)... So, what is really the point of that "link" except invalidating the request only you could reach ?
Yep, that's what I was getting at. It's not Apple's responsibility, of course, but they do have a vested interest in your email account remaining secure and in you being aware of any potential breaches. I guess it'd alert them to the fact that a particular account was being targetted. That's useful to know when deciding what to do if, for instance, a huge quantity of purchaes are made on the account later that week
Nope, If they knew your password, you woulldn't have gotten this Email. Someone knows your username, and pressed the "I forgot my password" button. I know your username, want to change it?
It wasn't that email. It's the email you get when you login on a new machine and you get your Steamguard code to enter. The email that you only get when someone knows your username and password.
A long time ago i did a demonstration to a friend of mine where i was able to log into his PayPal account and transfer money in to my bank account purely by guessing his "secret keyword" for Hotmail. People forget this... if you have access to someone's email account you can quite easily get access to anything they've used that account with. Paypal, Amazon, Facebook... Unfortunately there's not much you can do about it other than setting your secret key to anything other than "mother's maiden name". He did make it a lot easier by showing me his online family tree... The point being that i find it very difficult to trust a company which presents such a narrow minded or humorous approach to account safety. The reality is, their jocular approach has no bearing on what happens in the background. For all you know, their passwords could be stored in plaintext somewhere on their network.
