I suspect someone, somewhere has managed to find a way to create Apple IDs from email IDs they don’t have access to. The following is what leads me to believe this may be the case.
This morning I received the following email starting with “Dear John Dillinger, Welcome to the Apple Online Store”.
Four odd facts about this email:
OK, so what? Somebody hacked my old email address, right? Well, possibly, but let’s not jump to conclusions quite that quickly.
This old email account of mine runs via Google Apps for Business; it uses an extremely strong password (30+ random characters), and shows no signs of having been accessed by other people or IP addresses in the Google details for the account. No DNS changes have been made either at a domain level. I’m not claiming that it wasn’t hacked, but there aren’t strong signs to suggest as much.
I logged into the inbox for this account and noticed that Apple had only sent the one welcome email. When you signup for an Apple ID, you are supposed to receive an email confirmation link. I received none (unless the account was actually hacked and the person deleted every trace of such email). Odd.
I requested a password reset for that account, and in turn Apple sent me the link. I reset the password and was able to log in. The email address resulted as being verified. Furthermore, no details were present in the account other than the fake name (again, John Dillinger), my old email address, and US being listed as the country (I’m in Canada, not the States). This is strange because normally you can’t register an Apple ID without providing information such as your address, a security question, and your date of birth.
Two possibilities jump to mind:
I say scraped because even open source mailing lists have been receiving such emails.
Even in the second case, they still managed to register an Apple ID without providing any details to Apple. I can imagine this happening due to one of the Apple Store bugs or something along those lines, rather than the web interface.
Either way, I’m pretty certain it is not something Apple wants to have happen or find desirable. If you were able to do this, it would be fairly trivial and not overly time consuming to create lots of fake, but legittimate looking, accounts to boost the reviews of an app or other nefarious purposes. No need to even pay those $0.15 to microworkers to create fake accounts.
When I called Apple – flu, cough and fever be damned – they told me that I should reset the password (which I had already done). I asked if they could ban or delete the fraudulent account. The customer service agent on the line told me that they won’t do that and that I can’t delete the account myself.
So I, and presumably many other people like me, will be left wondering if “John Dillinger” has a trick up his sleeve to reset the Apple ID password himself or otherwise manage to control and use an account that is associated with one of my email addresses. The idea that Apple is OK with having fraudulent, unaccountable accounts like that is pretty absurd. We’ll see if this post helps clarify and perhaps fix the issue.
I sincerely welcome and appreciate your comments, whether in agreement or dissenting with my article. However, trolling will not be tolerated. Comments are automatically closed 15 days after the publication of each article.