"Apple Just Gave Out My Apple ID Password Because Someone Asked"

All the security in the world can be rendered useless by human error, it seems. Marko Karppinen, a software designer, says Apple gave his password to someone who simply emailed them and asked for it.

Allegedly, the following email was enough for Apple to hand over Marko’s login information to a stranger with a yahoo.com email address:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

The stranger then logged in to Marko’s account and changed his password. Fortunately, the security question stayed the same and he was able to regain access to his account. Meanwhile, the stranger had access to:

- My personal details
– My personal email
– All the files stored on my iDisk
– Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
– My credit card details as stored in my Apple Store profile
– My iTunes Music Store Account
– My ADC Premier membership, including the software seed key and other assets
– The iPhone Developer Program’s Program Portal, including details of our development team

Whoops.

Apple just gave out my Apple ID password because someone asked [Karppinen](Thanks, Ivy!)

Comments

Edit Your Comment

  1. weakdome says:

    Obviously that original email was authentic, since it was worded so well.

  2. Bakkster_Man says:

    Isn’t rule 1 of the internet to not trust a Yahoo account, unless it’s the exact Yahoo account you’re expecting?

  3. alumicor says:

    Password security as far as ISP’s and many websites only need you to verify little to no information before resetting a password for you. I used to work tech support for a local ISP in town that only required you know the Name on the account and the physical address.

    I am now working for a different ISP doing basicly the same thing and they have the same practice as far as passwords are concerned. Unfortunately due to confidentiality agreements I can not tell you which ISP’s they are but needless to say I’m sure this is no different for all Major ISP’s with more that 50,000 accounts.

  4. GMFish says:

    What’s the point of having the security question if Apple simply ignores it? Someone really screwed up. And considering how poorly worded the original email was, it’s even more egregious.

  5. azntg says:

    Forget social engineering with the would-be victim, just fire off a short e-mail to the host. Got it!

  6. evslin says:

    @Bakkster_Man: Even if it’s the exact Yahoo account you’re expecting, it’s trivial to change the reply-to and forge the from address.

    Only reason I’d ever give out password info like that is if somebody actually called and I know who they are or I see their phone number on my caller id.

  7. zentex says:

    @Bakkster_Man: no, the #1 rule is suspect EVERYTHING

  8. Eigtball says:

    What I don’t understand is why they just didn’t use the Canned Response for that type of request?

  9. You have to understand: the person answering that email probably couldn’t have written anything more eloquent. When a Nigerian is asking an Indian for your info, you just know you’re gonna get screwed.

  10. Propaniac says:

    @weakdome: No, see, Apple knew the e-mail was authentic BECAUSE it was written so badly. If it was a scammer, he would have put in the extra effort to make it look genuine. It’s simple logic!

  11. mgy says:

    @terekkincaid: See, that’s just the thing. Apple is renowned for their state-side customer service. That’s why I suspect that there’s gotta be more to this story.

  12. mbressman says:

    @evslin: Even caller ID’s can be spoofed

  13. gqcarrick says:

    I wonder how Steve Jobs will fix this one.

  14. IssaGoodDay says:

    Also, how did the OP obtain an exact copy of the original e-mail? Definitely more to this story.

  15. tedyc03 says:

    So sad but true. Not Apple’s fault per se, a bad employee though. Someone needs to be fired and apologies need to be made.

  16. Hmmm … many support orginizations log electronic contact details in a “ticket” system. The support agent, or technology that fulfilled this password recovery probably created a ticket, and logged the email as a matter of course.

    When Marko got his account back he probably checked his support history, and got the information.

    Can anyone verify whether this might be a possibility with the Icare support system?

  17. Eoghann says:

    Most important rule of security: TNO (Trust No One)

    OP need to change everything the imposter had access to. Immediately.

  18. @terekkincaid:
    fucking brilliant. even though it cannot be applied to this situation, that comment made me laugh my ass off

  19. mike says:

    I’m surprised that Apple passwords are clear-text. I would have thought that most web sites use some sort of one-way hash to save passwords (like *nix). I know I do an MD5 hash for saved passwords on my web site. That way, no one knows what your password is except you.

  20. moore850 says:

    uh oh spageddios! That’s the trouble with friendly customer service… it’s hard to draw the line between friendly and breaching security. Oh wait, no it’s not, it’s incredibly easy to draw that line.

  21. LostAngeles says:

    I’m wondering if maybe there’s a mix-up with two different accounts since the original report said the names didn’t match. That doesn’t excuse the fuck-up by Apple, but it’s a possibility for the source.

    Also, since it seems targeted, I’d wonder if it’s a disgruntled (ex)employee/client/customer.

  22. darksunfox says:

    I worked tech support for 10,000 user accounts for a year and not once reset a password via email. If they had enough info to do it via email, they could use the automated form. If it was over the phone, I verified last 4 SSN plus account related questions. It’s really incomprehensible to have this happen. Data security in customer service is really pretty easy – verify the hell out of who is contacting you, and if anything seems out of whack, don’t give out any sensitive data at all. I’d rather be the guy people on this site are complaining about who won’t let you into your account if you won’t answer the security questions (“Why should I have to do this! can’t you just verify me by (information that someone who has compromised your identity already has)”…) than the guy who ends up on this site after letting unauthorized access into someone’s account.

    It is a little weird that the OP has the original email sent. Does Apple log every contact made with them then? I’ve never used the service so I don’t know if this is standard or not.

  23. macdude22 says:

    Somehow I doubt this is at face value. It’s more likely someone pieced together the information necessary to change the password, such as the security question. As far as I know I can’t email xxx@apple.com with a bunch of jibberish to reset my .mac password. Consumerist, do some homework before you start posting this stuff.

  24. evslin says:

    @mbressman: If we really wanted to get technical about it, we wouldn’t give passwords out to somebody who physically came into our office either, because who knows they could be under duress or something too. ;)

  25. bradanomics says:

    I did the same to my internal IT department, but it was legit. One of my coworkers password expired and he was out of the country on business and needed to be able to access internal resources. He couldn’t call IT because of the cost issue (well, he could have but it wouldn’t have been that easy), he couldn’t email IT from his corporate email because he couldn’t log in. I called up our IT department as I was in the office and asked them to reset his password. I know his user name due to the conventions that we use. Would have been real simple to just hijack his account.

  26. hoofedblacky says:

    @TakingItSeriously: iCare…more like iLog, iLog 4.0 to be exact; it does create a ticket but it is not viewable by the customer, hence why many agents, log ID-10t as an error, or put notes about the customer in the system. and it’s all agent side, no automation. Even the e-mail support has to log.

  27. JaneBadall says:

    This same thing happened to me with Earthlink. Someone with a similar email address contacted their livechat for password help. Instead of resetting the password, they gave out the one on file.

    I found this out when I contacted them about a different problem and requested the live chat transcriptions for the last six months. Imagine my surprise. For three months a total stranger had access to my email account and using that, could have accessed nearly every other account I have online.

    At first Earthlink tried to tell me that I was mistaken, but I had it in print from them. Then they offered to change my password. Already taken care of by me, thanks. Finally they gave me 6 months free service which I am using to find another provider.

  28. mermaidshoes says:

    when i worked at apple, we required address verification, and did not ever give out passwords–we just reset them for users who’d forgotten them.

  29. sponica says:

    My sister wanted to buy music of iTunes but didn’t have an account, so she used mine and somehow managed to change the password and billed all her music to my credit card….thankfully it was only a handful of songs. I am not surprised in the least that this happened.

  30. Sam2k says:

    Why do Apple employees have access to user passwords? I would think that they would be stored in an encrypted form in Apple’s database. There’s no good reason for any Apple employee to have access to them.

  31. cjnewbs says:

    What amazing security procedures for a company who claim their OS is so much more secure than Windows.
    (Just a light hearted joke – I use Mac and PC)

    This should not have even been possible.

    Personally, the first rule in my book for storing password data is to have it saved as a salted hash, which is how I did it when I wrote a web user management system.

    For those of you that don’t know what a salted has is let me explain. A hash is a “fingerprint” of a data sample. MD5 is a popular one, and whether your data is 1 byte long or 10 gigabytes it always creates a unique (collisions have been found but lets not go there) 128 bit “signature”.

    The salting aspect is where additional data is added to the data before hashing, i.e. if your password is “mypassword1″ and the salt is “alfpm”, then the salted password is “alfpmmypassword1″

  32. lilyfirecracker says:

    I can imagine Marko’s frustation with a small, non-technologically savvy company like Apple having employees on hand to give out personal information to Sam, Dick & Harry… It’s too bad Apple doesn’t have the resources to develop web services to verify, authenticate or automate resetting one’s password… Kudos to Apple for e-mailing Marko’s .Mac & fraudulent Yahoo accounts! Apple’s gotta do something right…. right?!?

    Pardon me for crying bullshit on this one!!

    I’ve “lost” my .Mac and Apple ID passwords & have had the personal experience of “resetting” them through Apple’s website. There is no “retrieval” via e-mail!

  33. baristabrawl says:

    I don’t take people with Yahoo accounts seriously. I can’t believe how many people use them for correspondence. Why?

    I have been trying to get everyone I know to switch to gmail.