This week I got a text from my friend Ryan that really surprised me. We haven’t seen each other in ages, but he saw something on his iPhone that he thought might be of interest to me.
You know how on occasion your iPhone or other Apple device will demand that you verify your Apple ID? The message that pops up says, “Apple ID Verification” and then tells you to “Enter the password for “yourappleID” in Settings. Your choices are, Not Now and a button to go into Settings where you can enter your password.
You’ve probably seen this but the reason Ryan thought it was interesting was that it was not asking him to verify his Apple ID, it was asking him to verify my Apple ID. He sent me a screenshot and it was quite clearly my email address for my Apple ID.
I immediately called Ryan to see if we could figure out how the heck this happened. He’s a brilliant technical guy so it was fun to noodle with him, even though I had a cold pit in my stomach about the security of my account.
When the popup happened, he clicked the button to go to Settings, but everything there looked like his own account and information. He could find no trace of my Apple ID. We went back through what he had been doing around the time it happened, and while he was messing around in the Sense app which I also have, and using 1Password which I also have, we couldn’t think how either of these would prompt an Apple ID verification of even his account.
I told him that a couple of days earlier while on travel, I’d seen a notification that a new Apple Watch had joined my account. While that was unsettling, all of my queries to view my devices revealed no unknown Apple Watches. But adding the two events together was too much of a coincidence.
We had a nice visit and made plans to meet up soon for dinner, and I went off to undertake the arduous task that is changing an Apple ID password.
My first stop was to go to beta.xkpasswd.net to choose a new password. The new shiny version, just like Bart Busschots’s original version has a configuration option for an easy-to-type password for Apple IDs. As the site explains, the Apple ID preset is “A preset respecting the many prerequisites Apple places on Apple ID passwords. The preset also limits itself to symbols found on the iOS letter and number keyboards (i.e. not the awkward to reach symbol keyboard).
I let XKPasswd generate a bunch of passwords until I found one that was pretty memorable and easy to type, and then I opened up the Settings section and tailored it just a bit more to my liking. I plopped it into 1Password and got to work.
Off to appleid.apple.com to change my password. Interestingly it told me I couldn’t do it on the web because I’ve enabled stolen device protection on my devices, and suggested I use my iPhone to change the password. I tried that and it worked a champ.
And then on my iPad Pro. And then on my MacBook Air. And then on my MacBook Pro. And then Steve did our 5 Apple TVs.
I was notified when I originally changed it that any site-specific passwords that had been generated earlier were now gone. I can’t remember all the places that will bite me later but I’ll tackle that when the time comes.
The next morning I decided to call Apple to see if they could explain how such a thing could have happened. I didn’t have high expectations that the mystery would be solved, but I like to get my money’s worth out of AppleCare.
The lovely Tatiana from the front lines of AppleCare took a few stabs at the problem but when I suggested perhaps we need a senior advisor to get involved, she readily agreed that she’d be delighted to hand this one off.
Senior Advisor Makiah took the call and she was fantastic. She very quickly realized that I could go quickly and outlined the scenarios of how someone else might get prompted to verify for my Apple ID.
- Had I ever shared my Apple ID account with Ryan?
- Had I sold or given a device to Ryan and forgotten to sign out?
- Was Ryan a member of my Family Sharing account at any time in the past?
The answer to all of these questions was an emphatic “No”.
I told her that I did a search on the interwebs for being prompted for someone else’s Apple ID and I found many people asking about this problem in the past half dozen years and as recently as just a few months ago. I suggested that the combination of a notification of an Apple Watch getting on my account and this errant Apple ID verification request to Ryan, was it possible some streams got crossed in iCloud that didn’t just affect me. I knew that question was fruitless and of course she said that wouldn’t have happened but I had to ask.
She suggested we take a gander at what devices were connected to my Apple ID. There are two ways of doing this. In System Settings on macOS or Settings on iOS, you select your avatar at the top where it says Apple ID, and below a half dozen settings you can see a list of your devices.
The second way is to go to appleid.apple.com and choose
As Makiah and I looked at the two listings, while many of the devices were on both lists, there were also devices listed only on one or the other. So that was fun.
The third place she suggested we look is in Find My on the Devices tab. This is where things got even more interesting. We found a slew of random devices with little description on them. For example, two of the devices were titled, “Mac” and their icons were of an iMac. I’ve never had an iMac. Steve has had a couple of them, but not me. Sh explained that if I’d ever had a login on one of them they might show up here.
She had me click on the little “i” on each device and remove them from my account. Every single time I asked to remove a device, it prompted me for my Apple ID password. This meant she had to stop and start viewing my screen over and over again, but the good news is I got a LOT more practice typing in that new password.
There was an iPhone listed but before I removed it I wanted to make sure it wasn’t the spare iPhone I use for Continuity Camera and for ScreenCastsONLINE tutorials. That one was turned off and in a bag for travel.
I booted it up while still talking to Makiah, and as expected, it joined the party of devices demading I log into my Apple ID. I entered the password, and it failed. Tried again, failed again. After four tries she asked me if it was saying that the Apple ID or password was wrong, but it was just saying “something has gone wrong.” I tried again … and I was locked out of my account.
I thought I’d just have to wait awhile, but with trepidation, Makiah told me that I was fully locked out and that I would have to change my Apple ID password. Again.
Now technically I didn’t yell at her but the moaning and whining could have been heard from miles away. I was so distressed that Siri kicked in and suggested that in times of stress sometimes it’s just better to take a break. I kid you not. Makiah and I had a good laugh about it.
I fiddled with my Apple ID password I’d just created (there’d been one thing about it I didn’t like anyway) and went back through all of my devices yet again. Steve was a saint using the Siri remote to dictate the password over and over to our five Apple TVs.
There’s one more thing of interest about the Find My part of my discussion with Makiah. We found a set of AirPods I’d sold to Ed Tobias, and a MacBook Air of Pat Dengler’s on which I briefly had an account for testing purposes.
I told her that both of those devices had been problematic after I’d given them back, even though on the Mac at least I had logged out and deleted my account, and for both devices, I’d removed them from my account through My Devices. She said that they “should” have disappeared from Find My, and I agreed that they “should” have done that too. She said when this happens it’s called a device mismatch and the solution is to remove them from Find My manually.
I’m telling you this part so that you’ll know that when you sell, give away, or trade in a device, to not only remove it from Devices in System Settings or appleid.apple.com, but to also go to Find My and remove them there too.
Bottom Line
The bottom line is that I’m relatively sure that my account wasn’t actually compromised since I never lost the ability to change my password, but I’ll never know for sure. I still think the streams crossed on Apple’s servers. Remember that the email address you use for account password recovery is the single most important address to protect. I will sleep better at night knowing I have relocked the door to the kingdom even if the keys were never actually lost.
I enjoyed Makiah very much and this will not be the last you hear of her.
So that’s what we all heard in Florida :):):)
Barry
That all sounds nuts. How could that happen?! By coincidence (maybe?), yesterday (Apr 10) my iPad mini showed an alert that my account was locked and I needed to go into Settings to unlock it. I opened Settings and showed the same message. I then went out and back into Settings just to be doubly sure, and the message was still there. It wanted my password, so I entered that, and my phone number, so I confirmed that, and finally it told me that the best way to unlock my account was by responding to the message sent to my other devices. No such messages came, my account on my other devices, and then also on the iPad. So that was weird, but seemed legit.
I missed a bit there sorry! Should’ve said “No such messages came, my account on my other devices, and then also on the iPad, all looked fine”.
Something was definitely up with Apple IDs lately. Last week (or maybe the week before), my wife got that same prompt to verify the Apple ID. Granted, she’s using my former MacMini, but everything indicates that it’s under her Apple ID.
Then I got a strange message from somebody asking who I was. For some reason, FaceTime had called his wife with my iCloud user. Checking FaceTime history, there was no such call from me. I had been testing iMessage with my wife right about the time I was contacted. But where’s the connection?
Does Apple’s network have ghosts in it?
Wow – Steve and Michael this really makes me think something glitchy is going on.