I suspect someone, somewhere has managed to find a way to create Apple IDs from email IDs they don’t have access to. The following is what leads me to believe this may be the case.
This morning I received the following email starting with “Dear John Dillinger, Welcome to the Apple Online Store”.
Four odd facts about this email:
- My name is not the same as that of an infamous 1930s criminal (John Dillinger).
- I never signed up for Apple’s services with that particular (old) email account (antonio@*******.it).
- The email isn’t phishing; it arrived from Apple, and the links are all legitimate Apple.com links.
- Plenty of other people have reported having the same thing happen to them.
OK, so what? Somebody hacked my old email address, right? Well, possibly, but let’s not jump to conclusions quite that quickly.
This old email account of mine runs via Google Apps for Business; it uses an extremely strong password (30+ random characters), and shows no signs of having been accessed by other people or IP addresses in the Google details for the account. No DNS changes have been made either at a domain level. I’m not claiming that it wasn’t hacked, but there aren’t strong signs to suggest as much.
I logged into the inbox for this account and noticed that Apple had only sent the one welcome email. When you signup for an Apple ID, you are supposed to receive an email confirmation link. I received none (unless the account was actually hacked and the person deleted every trace of such email). Odd.
I requested a password reset for that account, and in turn Apple sent me the link. I reset the password and was able to log in. The email address resulted as being verified. Furthermore, no details were present in the account other than the fake name (again, John Dillinger), my old email address, and US being listed as the country (I’m in Canada, not the States). This is strange because normally you can’t register an Apple ID without providing information such as your address, a security question, and your date of birth.
Two possibilities jump to mind:
- The malicious individual managed to find a way to create Apple IDs by using scraped email addresses (but without the actual need to have access to those inboxes).
- The malicious individual has gained access to third party email addresses.
I say scraped because even open source mailing lists have been receiving such emails.
Even in the second case, they still managed to register an Apple ID without providing any details to Apple. I can imagine this happening due to one of the Apple Store bugs or something along those lines, rather than the web interface.
Either way, I’m pretty certain it is not something Apple wants to have happen or find desirable. If you were able to do this, it would be fairly trivial and not overly time consuming to create lots of fake, but legittimate looking, accounts to boost the reviews of an app or other nefarious purposes. No need to even pay those $0.15 to microworkers to create fake accounts.
When I called Apple – flu, cough and fever be damned – they told me that I should reset the password (which I had already done). I asked if they could ban or delete the fraudulent account. The customer service agent on the line told me that they won’t do that and that I can’t delete the account myself.
So I, and presumably many other people like me, will be left wondering if “John Dillinger” has a trick up his sleeve to reset the Apple ID password himself or otherwise manage to control and use an account that is associated with one of my email addresses. The idea that Apple is OK with having fraudulent, unaccountable accounts like that is pretty absurd. We’ll see if this post helps clarify and perhaps fix the issue.