“Security” and “big tech” are two terms that don’t go well together at the moment. After ongoing security issues at Microsoft, Apple seems to have at least one minor problem that has left many users unexpectedly locked out of iCloud and devices belonging to it and forced to perform an unexpected password change. However, depending on Apple’s forthcoming response to the case, this minor problem could turn into a serious one.
Imagine a simple day with your beloved Apple devices - to be honest, this is the status quo on pretty much every day. This Friday, I first noticed that my Apple Watch Ultra was unable to update the weather forecast and the current temperature. I had arrived at one of our offices early and was therefore not in a „trusted location“ - which are my home address and the nearest office, my main place of work. Suddenly I noticed that the Apple Watch was forcing me to verify the password of my Apple account (an old @mac.com one) out of nowhere. Then my iPhone came along with the same effect - feeling that something was very strange, I tried to access Apple’s [account page] (https://appleid.apple.com/) and discovered that my account was indeed locked, forcing me to recover it with a subsequent password change.
Given that I am a bit of a “tinfoil-hat” guy, as friends and colleagues call me, when it comes to security, I tried to find out what could be wrong. I haven’t added any new devices to my account, which is of course protected by 2FA, backed up by two YubiKey 5C NFC keys. iOS 17.3’s “Stolen Device Protection” is also enabled, and at the time of writing I was not using any applications that require an application password - which got deleted after the account reset by the way! The password I used for my beloved old @mac.com address is generated and definitely not something that could be guessed or brute-forced - the tinfoil-hat guy, remember?
So I reset my password, knowing that I had some work to do at home later that evening. Two hours later, the same messages appeared again on my iPhone and Watch, so I went through the same process, feeling that something had to be wrong - and fearing that my account had some kind of security issue, especially since Apple’s official status page didn’t show anything unusual. Anyway, with all the security options Apple provides, the likelihood of a security flaw should be quite low - but the issue concerned me anyway (and should concern anyone with a similar experience). So, maybe it was a technical issue or something that forced Apple to lock my account?
Meanwhile, many people began reporting similar incidents around the world - many of them focusing on old @mac.com or @me.com addresses in the context of being the head of a family using the Family Sharing feature on iCloud.com. 9to5mac.com reported the issue fairly early on and staff at Forbes had similar experiences. Also The Verge got in line as well. The good news: I was not the only one. The bad: Nobody knew what was really going on because something was definitely wrong but Apple refused to comment on the issue, drawing the familiar veil of silence over the incident.
In the meantime, the Net has been flooded with news about the issue, so the whole thing seems to have a greater impact:
- Thread #1 on Mastodon
- Thread #2 on Mastodon
- Thread #3 on Mastodon
- Michael Tsai’s blog post
- Threads #1
- Threads #2
- Threads #3
- Threads #4
- Threads #5
- Threads #6
- Threads #7
- More complaints on Threads
What’s next, Apple?
Interestingly, among my friends and acquaintances, I was the only one affected - the only one with an “old” @mac.com-Apple ID. There was also no reaction in our family to similar effects (at least no one was texting or calling, so everything seems to be working). As The Net reports, Apple is downplaying the problem in terms of support calls and is not saying anything specific about “why” the whole thing happened in the first place. Personally, I could live with any explanation (precaution? attack? technical glitch?), as my security baseline is definitely more than just the simple standard, using all the options each vendor (in this case Apple) offers me but definitely there should be an official statement on this issue that has not just affected a few individual users. There is no need to diminish the relative importance of this case, and simply saying nothing is the wrong way to prove that “security” and “privacy” are still at the heart of Apple’s agenda.
In the end, we see that security is not a status quo, but an ongoing process. Vendor agnostic. It’s a process often paved with good intentions and a lot of backtracking, but it’s never finished. For every measure there is a countermeasure, and yes, I love Apple, my fenced (and falling down) garden and the products that grow in it (and are paid for by the users) but specifically in this frustrating and annoying case I want an answer - and I am not alone!
So even as (or because being!) a loyal Apple fan and user for two decades, I have to ask the obvious question:
What do you have to say about that, Apple?
