The Strange Case of John Dillinger and the Fraudulent Apple ID

I suspect someone, somewhere has managed to find a way to create Apple IDs from email IDs they don’t have access to. The following is what leads me to believe this may be the case.

This morning I received the following email starting with “Dear John Dillinger, Welcome to the Apple Online Store”.

Dear John Dillinger Welcome to the Apple Online Store.

Four odd facts about this email:

  1. My name is not the same as that of an infamous 1930s criminal (John Dillinger).
  2. I never signed up for Apple’s services with that particular (old) email account (antonio@*******.it).
  3. The email isn’t phishing; it arrived from Apple, and the links are all legitimate Apple.com links.
  4. Plenty of other people have reported having the same thing happen to them.

OK, so what? Somebody hacked my old email address, right? Well, possibly, but let’s not jump to conclusions quite that quickly.

This old email account of mine runs via Google Apps for Business; it uses an extremely strong password (30+ random characters), and shows no signs of having been accessed by other people or IP addresses in the Google details for the account. No DNS changes have been made either at a domain level. I’m not claiming that it wasn’t hacked, but there aren’t strong signs to suggest as much.

I logged into the inbox for this account and noticed that Apple had only sent the one welcome email. When you signup for an Apple ID, you are supposed to receive an email confirmation link. I received none (unless the account was actually hacked and the person deleted every trace of such email). Odd.

I requested a password reset for that account, and in turn Apple sent me the link. I reset the password and was able to log in. The email address resulted as being verified. Furthermore, no details were present in the account other than the fake name (again, John Dillinger), my old email address, and US being listed as the country (I’m in Canada, not the States). This is strange because normally you can’t register an Apple ID without providing information such as your address, a security question, and your date of birth.

Two possibilities jump to mind:

  1. The malicious individual managed to find a way to create Apple IDs by using scraped email addresses (but without the actual need to have access to those inboxes).
  2. The malicious individual has gained access to third party email addresses.

I say scraped because even open source mailing lists have been receiving such emails.

Even in the second case, they still managed to register an Apple ID without providing any details to Apple. I can imagine this happening due to one of the Apple Store bugs or something along those lines, rather than the web interface.

Either way, I’m pretty certain it is not something Apple wants to have happen or find desirable. If you were able to do this, it would be fairly trivial and not overly time consuming to create lots of fake, butย legittimateย looking, accounts to boost the reviews of an app or other nefarious purposes. No need to even pay those $0.15 to microworkers to create fake accounts.

When I called Apple – flu, cough and fever be damned – they told me that I should reset the password (which I had already done). I asked if they could ban or delete the fraudulent account. The customer service agent on the line told me that they won’t do that and that I can’t delete the account myself.

So I, and presumably many other people like me, will be left wondering if “John Dillinger” has a trick up his sleeve to reset the Apple ID password himself or otherwise manage to control and use an account that is associated with one of my email addresses. The idea that Apple is OK with having fraudulent, unaccountable accounts like that is pretty absurd. We’ll see if this post helps clarify and perhaps fix the issue.

Get more stuff like this

Subscribe to my mailing list to receive similar updates about programming.

Thank you for subscribing. Please check your email to confirm your subscription.

Something went wrong.

37 Comments

  1. Lazza January 12, 2012
  2. FooBar January 12, 2012
  3. Lazza January 12, 2012
    • Antonio Cangiano January 12, 2012
      • Lazza January 12, 2012
  4. Scott Fenne January 12, 2012
    • Lazza January 12, 2012
    • Antonio Cangiano January 12, 2012
  5. Rob January 12, 2012
    • Miguel January 12, 2012
    • Lazza January 12, 2012
  6. piero January 12, 2012
    • Antonio Cangiano January 12, 2012
  7. Carlo January 12, 2012
  8. ivanhoe January 12, 2012
    • huxley January 12, 2012
  9. Ben January 12, 2012
  10. blowdev January 12, 2012
    • Andrey Tarantsov January 13, 2012
  11. MacGeek January 13, 2012
    • Antonio Cangiano January 13, 2012
    • Lazza January 13, 2012
      • Antonio Cangiano January 13, 2012
  12. Fabio January 13, 2012
    • Antonio Cangiano January 13, 2012
      • Fabio January 13, 2012
    • Fabio January 14, 2012
      • Adriano Esposito January 14, 2012
        • Fabio January 16, 2012
          • Adriano Esposito January 16, 2012
          • Adriano Esposito January 16, 2012
  13. Adriano Esposito January 13, 2012
  14. Adriano Esposito January 16, 2012
    • Lazza January 16, 2012
  15. Adriano Esposito January 16, 2012
    • Not John Dillinger January 19, 2012
      • AntX February 1, 2012

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: