Meditations on programming, startups, and technology
New Relic

The Strange Case of John Dillinger and the Fraudulent Apple ID

I suspect someone, somewhere has managed to find a way to create Apple IDs from email IDs they don’t have access to. The following is what leads me to believe this may be the case.

This morning I received the following email starting with “Dear John Dillinger, Welcome to the Apple Online Store”.

Dear John Dillinger Welcome to the Apple Online Store.

Four odd facts about this email:

  1. My name is not the same as that of an infamous 1930s criminal (John Dillinger).
  2. I never signed up for Apple’s services with that particular (old) email account (antonio@*******.it).
  3. The email isn’t phishing; it arrived from Apple, and the links are all legitimate Apple.com links.
  4. Plenty of other people have reported having the same thing happen to them.

OK, so what? Somebody hacked my old email address, right? Well, possibly, but let’s not jump to conclusions quite that quickly.

This old email account of mine runs via Google Apps for Business; it uses an extremely strong password (30+ random characters), and shows no signs of having been accessed by other people or IP addresses in the Google details for the account. No DNS changes have been made either at a domain level. I’m not claiming that it wasn’t hacked, but there aren’t strong signs to suggest as much.

I logged into the inbox for this account and noticed that Apple had only sent the one welcome email. When you signup for an Apple ID, you are supposed to receive an email confirmation link. I received none (unless the account was actually hacked and the person deleted every trace of such email). Odd.

I requested a password reset for that account, and in turn Apple sent me the link. I reset the password and was able to log in. The email address resulted as being verified. Furthermore, no details were present in the account other than the fake name (again, John Dillinger), my old email address, and US being listed as the country (I’m in Canada, not the States). This is strange because normally you can’t register an Apple ID without providing information such as your address, a security question, and your date of birth.

Two possibilities jump to mind:

  1. The malicious individual managed to find a way to create Apple IDs by using scraped email addresses (but without the actual need to have access to those inboxes).
  2. The malicious individual has gained access to third party email addresses.

I say scraped because even open source mailing lists have been receiving such emails.

Even in the second case, they still managed to register an Apple ID without providing any details to Apple. I can imagine this happening due to one of the Apple Store bugs or something along those lines, rather than the web interface.

Either way, I’m pretty certain it is not something Apple wants to have happen or find desirable. If you were able to do this, it would be fairly trivial and not overly time consuming to create lots of fake, but legittimate looking, accounts to boost the reviews of an app or other nefarious purposes. No need to even pay those $0.15 to microworkers to create fake accounts.

When I called Apple – flu, cough and fever be damned – they told me that I should reset the password (which I had already done). I asked if they could ban or delete the fraudulent account. The customer service agent on the line told me that they won’t do that and that I can’t delete the account myself.

So I, and presumably many other people like me, will be left wondering if “John Dillinger” has a trick up his sleeve to reset the Apple ID password himself or otherwise manage to control and use an account that is associated with one of my email addresses. The idea that Apple is OK with having fraudulent, unaccountable accounts like that is pretty absurd. We’ll see if this post helps clarify and perhaps fix the issue.


If you enjoyed this post, then make sure you subscribe to my Newsletter and/or Feed.

receive my posts by email

37 Responses to “The Strange Case of John Dillinger and the Fraudulent Apple ID”

  1. Lazza says:

    I have had exactly the same problem today. XD Anyway, I didn’t ask for a password reset, because I don’t want to look like I’m the owner of that account. :-\

  2. FooBar says:

    It seems the OpenBSD list also received this notification. :-)

  3. Lazza says:

    Sounds legit, since OS X is a BSD rip-off. :D

  4. Scott Fenne says:

    There was an issue a while ago that would allow a malitious site to add a forwarding email filter in a the users Google account. Maybe this is going on with your account? Although you would have had to be logged in to your old email account for this to work.
    Here is a link:
    http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

    • Lazza says:

      That’s very interesting, but I’m not sure it’s related. There are a LOT of people complaining about that, and it sounds unreal that a big site such as Google, Ebay or Facebook could be “infected” by that exploit.

    • No filters and no forwarding (other than to my main email account), and I never login into that account. No pop3 or imap either.

  5. Rob says:

    Are you sure this isn’t the accidental work of some intern at Apple testing the Apple ID registration system?

    “John Dillinger” sounds more like the kind of thing a programmer would use to amuse themselves in a test than something a spammer or hacker would use when trying to avoid suspicion.

    I haven’t used names of famous criminals in my code testing, but I have used superheroes, strange animals and tech companies.

    • Miguel says:

      I don’t think it’s a test; I’ve had the exact same thing happen myself, and there’s nothing funny about my name, gosh darn it. I changed the password and forgot about it, and that’s the last I’ve heard of it. Haven’t checked to see whether the password still works, but I assume I would have received an email notification if it had been changed again.

    • Lazza says:

      I don’t think an intern would use the email addresses provided for downloading iTunes or something like that to bulk create a lot of new user accounts. :)

  6. piero says:

    Same here, with a seldom used gmail account. In Gmail you can check a log of account activity, with IP addresses, and there’s nothing suspicious in mine.

  7. Carlo says:

    mmmm same problem for me… the email used as AppleID is ****@email.it and that account is frequently checked by gmail web interface thanks to pop3. Any Clues?

  8. ivanhoe says:

    The fact that you can’t delete your Apple account yourself is very scary by itself, even without any hackers in the story… I’m pretty sure such policy is illegal, at least in EU… you should check Canadian laws on privacy, and see if you can force them to erase the account

    • huxley says:

      According to the Canadian Privacy policy

      “Access, correction, or deletion requests can be made through the regional Privacy Contact Form.”

      http://www.apple.com/ca/privacy/contact/

      Tell them you didn’t create that account and never gave anyone permission to, that you are concerned it may be impersonation or identity theft. If they don’t respond to you saying they’ll delete it, then tell them you will contact TRUSTe to file a complaint:

      “If you have questions or complaints regarding our Privacy Policy or practices, please contact us. If you are not satisfied with our response, you can contact TRUSTe.”

      http://watchdog.truste.com/pvr.php?page=complaint

      Not that it guarantees you will get satisfaction but it might move things further than you’ll get with a call-center employee.

  9. Ben says:

    Someone registered an Apple account with my email address as well. This was a couple years ago. At first, I didn’t care–this had happened to me before with other services, since I have a nice @gmail.com email address–but then I bought an iPhone so I naturally wanted to use my email address for the account.

    So I request a password reset. I log in, I see the person’s name, their physical mailing address is all filled in, and I can even see the last four digits of their credit card number. I change the password and change everything else as well, but conceivably I could have actually used their cc info fraudulently.

    Does Apple not verify email addresses? That just seems stupid for this type of account.

    Also, when I signed up for an Apple developer account, it used the previous name of the store account and I had to pester Apple a few times to change it.

  10. blowdev says:

    Apple developers can register test accounts with pretty much any email address with only a name and no other info. What you are seeing might be the result of test account registrations and not regular registrations. Wether this is being used for other nefarious purposes is anyones guess.

    • Andrey Tarantsov says:

      Exactly. When I was creating test accounts, the welcome emails were arriving, but the accounts were live without any kind of confirmation. Someone has willingly entered your email into iTunes Connect Test Accounts page.

  11. MacGeek says:

    Same thing happened to me. Regarding banning or deleting the fake account, you can’t outright delete it, but you can neutralize it. Here’s how I did it.

    1) reset the password for the fraudulent Apple ID;
    2) once you get in, change the email address to a random mailinator.com (or equivalent service) address.
    3) access the mailinator.com or equivalent email, and verify it.
    4) log into your real Apple ID, and verify your email there.

    Steps 2 and 3 are needed because when I tried to verify my email with my real Apple ID I got an error saying that it was already verified with a different account.

    Hope this helps.

  12. Fabio says:

    Same problem for me. The “gangster” used an old e-mail account belonging to the department of the university where I work. It may be interesting to note that such old account is no longer active (no way to log in with it), since our university provided us with new e-mail accounts and set the old ones as simple aliases.
    I wrote an e-mail to the Italian Apple support by picking up the only public e-mail address, since to access other kinds of support I should have provided an hardware ID I do not own… The automatic reply reported they will take 2 days and that they will not answer me if the order number was missing… wow!
    Any official news from Apple?

    • Fabio, your comment proves that “John” never had access to the email inbox. It looks like Apple is now disabling such accounts (most likely because of the attention this post brought to the issue).

      • Fabio says:

        Thank you, Antonio, for having started to investigate about this issue. Hope to hear an official report from Apple about what happened.

    • Fabio says:

      Update: Italian Apple support replyed my e-mail. They told me to fill a form concerning iTunes support… Unfortunatly, the support page asks me what version of iTunes I use and other questions concerning iTunes… :|

      • Hi Fabio, can you post the URL of the form?

        I will fill I have iTunes Dillinger version…

        • Fabio says:

          Cool! It looks like a limited special edition! ;)

          Did you intentionally download it or you received it against your will? :P

          I paste here the instructions received by e-mail (in Italian):

          Per ricevere supporto con iTunes, la invitiamo a copiare il seguente link: http://www.apple.com/it/support/itunes/contact/ e per iTunes Store Le consigliamo di selezionare “Ottieni il supporto di iTunes Store tramite e-mail”; nella pagina successiva troverà’ supporto diretto online, tramite maschere da compilare. I colleghi le risponderanno via email entro 48 ore dal completamento della richiesta.

          Hope you receive an interesting reply.
          In the case, please share it with us!

          Bests,
          Fabio.

  13. I want to delete this fu** Apple ID the spammer created for me!!!

  14. I got this response from Apple:

    Dear Adriano,

    Welcome to iTunes Store Customer Support. My name is Natarajan.

    I understand that you would like to cancel your iTunes Store account. I am glad to help you today.

    Adriano, please note that if your account is canceled you will no longer be able to redownload or upgrade Apps that you have purchased or authorize new computers to play content you have previously purchased. Although account cancellation is something I can help you with, I would like to offer some alternative resolutions for your issue. There are a couple of options that will allow you to retain full access to the items you purchased that have digital-rights management (DRM) while preventing your account from being used to make additional purchases.

    1) You can remove your billing information from your account at any time so that it can’t be used to make purchases. By doing this, you retain the ability to authorize computers to play the items with DRM that you have purchased with the account and you will still have the account open in case you decide to use it later. Using this option also allows you to update and re-download applications that you have already purchased with your iTunes Store account. The instructions in this article can help you with removing the billing information while keeping the account open:

    iTunes Store: Changing Account Information
    http://support.apple.com/kb/HT1918

    2) The iTunes Store can disable your account, which will prevent it from being used to make purchases. You will still be able to play the items you purchased with the account but you will not be able to re-download or update Apps that you have purchased.

    It is also possible to cancel the account, but you may lose the ability to play the items with DRM that you already purchased from the iTunes Store. For example, if your computer is repaired, you may not be able to reauthorize the computer to play your DRM purchases after the repair. Also, you wouldn’t be able to authorize computers that were not already authorized before you canceled the account. If you purchased content on an iOS device and want to sync the content to a computer, but you have not yet authorized the computer for the account, you will not be able to sync the content to the unauthorized computer.

    Additionally, you will be unable to re-download or update Apps that you have previously purchased. If you create a new account in the future you will not be able to play any of the DRM items purchased with the canceled account and you will not be able to re-download or update Apps without having to purchase the Apps again. You can’t reactivate the canceled account.

    In addition, if your account name is also your Apple ID, then canceling the account will change the registration information for any product that you’ve registered with that Apple ID. This can make it difficult to sign in to other Apple websites that ask for an Apple ID and password.

    You should not cancel the account if you want to be sure you can continue to use your iTunes Store purchases that have DRM as well as update and re-download already purchased applications. I recommend either removing your billing information or disabling the account as described above.

    Note that if you have purchased any iTunes Plus content from the iTunes Store, or if you have upgraded any of your DRM purchases to iTunes Plus, canceling your iTunes Store account will not affect your ability to play the iTunes Plus items on existing, new, or repaired computers.

    If you would like the iTunes Store to disable or cancel the account “adriano.esposito@poste.it”, please reply to this email specifying if you would like it disabled or canceled and include the following information. This is necessary for security purposes.

    - The billing address listed on the account

    …as well as one of the following:

    - the last four digits of the credit card used for your iTunes Store account
    - or the order number of your most recent purchase
    - or the name of any item you’ve purchased using this account

    Upon receiving your response, Apple will verify your information, disable (or cancel) your account, and send you an email confirmation.

    Adriano, if you have any further questions, feel free to contact us and we will be happy to assist you.

    Have a nice day!

    Sincerely,

    Natarajan
    iTunes Store/Mac App Store Customer Support

    Please Note: I work Sunday to Wednesday and Saturday, 6:30AM to 3:30PM CST.

    Thank you for allowing me the opportunity to assist you.

  15. Anyway now my fraudulent Apple IDs are inactive: “This person record is inactive”.

    This BEFORE I reply to the message from Apple…

    • Not John Dillinger says:

      So it does seem that Apple is deactivating these accounts but now I can’t create an account with that email address which is my primary.

Leave a Reply

I sincerely welcome and appreciate your comments, whether in agreement or dissenting with my article. However, trolling will not be tolerated. Comments are automatically closed 15 days after the publication of each article.

Current day month ye@r *

Copyright © 2005-2014 Antonio Cangiano. All rights reserved.