OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

What to do if your Apple ID has been hacked

Published August 10th, 2014 at 8:51 AM EST , modified August 10th, 2014 at 7:30 PM EST

Apple IDs are a popular target for hackers. This is not only because Apple devices have become so popular, but also because Apple IDs typically provide purchasing power. With an Apple ID, a hacker can purchase music and movies in the iTunes Store or apps in the iOS App Store or Mac App Store on someone else’s dime. Typical symptoms of an Apple ID hack are a sudden inability to log in or strange purchases showing up in your purchase history or on your iOS device. So what do you do if you believe your Apple ID has been hacked?

Effects and Causes

Before discussing how to undo the hack, it’s critically important to understand why dealing with a hacked Apple ID must be done quickly. I’ve seen people who have allowed their Apple IDs to remain hacked for months before bothering to do anything about it. This allows the hacker to continue making purchases with your Apple ID, sending e-mail messages or iMessages as you, accessing your iCloud data, etc. However, there’s an additional problem that most people are either unaware of or don’t think about.

The anti-theft features of Mac and iOS devices involve your Apple ID, and can be abused by someone with access to your Apple ID. Your Apple ID could be used to remotely erase your Mac or iOS devices, which could be a disaster if you don’t maintain a good set of backups. Worse, in iOS 7, your Apple ID can be used to lock your iOS device in a way that cannot be bypassed – even by erasing the iOS device – without access to the Apple ID. If the hacker manages to permanently lock you out of your Apple ID, which can be done in a 3-day period using two-factor verification (more on this shortly), then he/she can then permanently lock your iOS 7 devices!

In other words, if you believe your Apple ID has been hacked, you need to respond quickly and decisively to regain access and lock the hacker out. Failing to do so could cause you to lose all purchases made with your Apple ID, lose all your data and even turn your iOS 7 devices into expensive paperweights!

The first thing most people want to do is scan for viruses, but there is actually little point to doing that. On the Mac, there is very little malware out there, and I’ve never heard of a single confirmed case of an Apple ID being stolen through an infected Mac. On iOS devices (ie, iPads, iPhones and iPod Touches), there is no known malware capable of affecting them unless they have been jailbroken (ie, hacked to disable security in order to download apps from outside the App Store). Further, due to the security features that prevent malware, there is also no anti-virus software capable of scanning an iOS device. If you are using your Apple ID on a Windows machine, keyloggers are possible, but that’s a matter for your Windows anti-virus software and your local Windows tech.

Apple IDs are typically hacked through other means. Some (though certainly not all) possibilities are:

  • If your password is a poor one, it may fall to simple brute-force attack by a botnet.
  • You could be fooled by one of the many Apple ID phishing scams circulating, in which you receive an e-mail message that is supposedly from Apple, but when you click the link provided in the message, you end up on a fake Apple site that harvests your login information (if you enter it there).
  • The e-mail address associated with your Apple ID might have been hacked, possibly allowing a password reset. (The exception here is if you are using an @me.com or @mac.com address as your Apple ID, in which case the address and the Apple ID are the same… hacking one means hacking the other.)
  • Your password may have been stored insecurely, such as on a Post-It note in your office that any passers-by can see or in a plain text note in some online account that has been hacked.
  • Your password was the same as that used by some other account you own that was hacked first.
  • Another account was hacked that gave information about you, such as what your security question answers might be.
  • Someone with physical access to your devices has installed spyware in order to harass or steal from you. (Yes, this is even a possibility with iOS devices… with physical access, a hacker can jailbreak them, install spyware, then cover up the fact that it’s jailbroken.)

How to undo the hack

If you think that someone with physical access to one or more of your devices has installed spyware, or if you are using Windows and think you’ve been infected with some kind of spyware trojan or virus, you need to deal with that first and foremost. Most people will be tempted to install some kind of anti-virus software and scan for malware, but that is pointless. Anti-virus software cannot detect many of the things that a person with physical access could do. The only meaningful response is to erase any potentially affected devices and reinstall their systems from scratch. Windows users will have to seek help with this elsewhere, but Mac and iOS users can find instructions for doing this here:

http://www.thesafemac.com/how-to-reinstall-mac-os-x-from-scratch/

http://support.apple.com/kb/ht1414

Once your devices are secure, if necessary, you need to change your Apple ID password by logging into Apple’s site for managing Apple IDs:

http://appleid.apple.com

You need to be sure to choose a secure password. The longer the better, and it should contain a mix of upper- and lowercase letters, numbers and symbols. It should also be a password that you don’t use for anything else, and you must not store it in an insecure manner. Use a password manager or other encrypted file (such as an encrypted disk image) to store the password.

If your Apple ID password has been changed, so that you are unable to log in, you can use the “Reset your password” link on that page to reset the password. However, if the hacker has taken over your e-mail account or has changed your security questions, or if you have made the error of forgetting the answers to your security questions, you will need to seek help from Apple:

http://www.apple.com/support/appleid/contact/

Once you have managed to get access to your Apple ID again, you first need to change your security questions. If the hacker knows them or changed them, they could be used to give the hacker access again. Change the questions, and choose answers that are nonsensical (eg, “What was your first job?” “banana slug”) or even completely random. Be sure to make note of the question/answer pairs in a password manager or encrypted file so that you don’t forget them.

None of this can completely rule out the possibility of a future hack, so you need to lock your account down further by enabling two-factor verification. This doesn’t prevent the account from being hacked, but it does establish additional means for verifying that you own the account. Using two-factor verification yourself is particularly important, because if you don’t do so and your account gets hacked again, the hacker could enable two-factor verification in order to take permanent control of the account. Once two-factor verification is enabled, Apple will not help someone gain access to that account.

For more information about two-factor verification and instructions on how to enable it, see:

http://support.apple.com/kb/ht5570

As part of the two-factor verification activation process, you will be given a recovery key. DO NOT lose this key! It will be required to reset your password in the future, if you forget your password. If you don’t have it, and have forgotten your password, you will not be able to regain access to your Apple ID.

Once your Apple ID is secured, you need to turn your attention to other accounts. If your Apple ID uses any e-mail addresses that are not @icloud.com, @me.com or @mac.com, then you also need to change the passwords of those accounts. There is a possibility that one of those accounts was hacked, and was used by the hacker to gain access to your Apple ID. Contact your e-mail provider if you aren’t sure how this is done. Be sure to use a secure password, and do not use the same password as the one you used for your Apple ID.

In addition, if you had any online accounts that used the same password as your old Apple ID password, you need to change all those passwords. Again, be sure to use a secure password, and don’t use a password that you are using for any other account. A password manager can be extremely useful for keeping track of all these passwords, but they should be stored in some kind of encrypted file at a minimum.

Once you have regained control of your Apple ID, changed the password and enabled two-factor authentication, the hacker should be locked out. You can now relax, and hopefully your account will never get hacked again!

Updates

August 10, 2014 @ 7:25 pm EST: I forgot to mention one thing… if your Apple ID has been hacked, you should check your purchase history for unauthorized purchases. This is best done in iTunes on a Mac or Windows computer. In iTunes, choose Store -> View Account and enter your password when asked. In the window that opens, click the See All link in the Purchase History section. If you see a purchase that you didn’t make, you’ll need to contact Apple to dispute the charge. Don’t contact your credit card company to dispute the charge unless you want to be locked out of your Apple ID again. (If the card associated with your Apple ID reports an issue to Apple, Apple will immediately lock the Apple ID to prevent further fraudulent purchases.)

Tags: , ,

38 Comments

  • cavenewt says:

    “Another account was hacked that gave information about you, such as what your security question answers might be.” Not bloody likely. Nine times out of ten, even the person who originally entered the security answers can never answer two of them correctly.

  • Cheryl says:

    Thank you for the details. My iphone was hacked on August 12/14 and I followed the instructions provided. I restored my device and also reset my apple password. Unfortunately after restoring my device from the backup, it is still popping up a window that is a “Sign In to ICloud” which is requesting my Apple password. Ughhhh. In the meantime, this hacker has deleted all but 5 of my contacts. Now what should I do?

    • Thomas says:

      It is normal for a new (or newly-erased) iPhone to request your iCloud password.

      As for the deletion of your contacts, the only possible response to that is to restore the lost contacts from backups. (For example, if you have synced your contacts to a computer and regularly backed up that computer, you could restore from that computer’s backups.) If you don’t have backups of that data, then you will simply have to try to reconstruct it.

  • Drew Maton says:

    Hi i got my iPhone 5 stolen. The thief was able to get in to my icloud account and changed the password. I had 3 devices under that account so I called apple and was referred to the senior apple advisor. The guy was extremely knowledgeable. FYI, i forgot all the answer of the security questions but someone the guy got my icloud acct back. 2 days later, i received an email notification saying that an icloud acct had downloaded apps from appstore.

    How can the lost iphone still send notification to my email. I am sure the guy got access to my icloud acc and changed it and erased my icloud acct to his?

    Do you have any suggestion what should I do regarding this situasion?

    • Thomas says:

      I’m guessing that you probably didn’t change the security questions, and the hacker was able to reset the password to regain access. I’d also guess that he may have access to one of your e-mail accounts. You’ll need to call Apple again for assistance regaining control of your Apple ID, and secure your Apple ID as indicated by this article.

  • Duc says:

    Hello,

    Please help me!

    Yesterday morning I received an email from Apple that my ID account was changed ( ID, Password, Security question). I thought that My ID Icloud was hacked by someone result in all my phones (5 phones) now are deactivated (My ID wad deactivated). When contacting to Apple service adviser, they said that My ID Iclound is not available on their system. That is terrible. My email account has been used to connect to Apple for long time but now it is out of the Apple system. I do not know the way to get my ID account back. They said that some one know my ID account and changed it legally but I am sure that no body know My ID.

    Please help me that what I have to do with my problem..

    With best regards,

    • Thomas says:

      Apple is the only one to help with this problem. Try calling back and talking to a different person, and if they can’t help, ask if your case can be escalated to a senior tech.

  • Mommabeans says:

    Someone, I’m pretty sure I know who, “hacked” into my daughter’s iphone/icloud account and changed EVERYTHING and then erased the phone. I think it’s her disgruntled ex boyfriend who is the person who actually gave her the phone, He’s in Florida. She’s in NY. But she insists it not him because he said it wasn’t. Facepalm. I can’t get her to get it through her head that the only way someone could have “hacked” her phone was if they had her logins from the start and he was the only one who did. Stupid. Stupid. STUPID! OMG, she is so stupid. He gave her the phone, brand new, never activated(until we activated it). So we don’t have the proof of purchase. And he gave her some BS line about having changed credit cards since then so he’ll have to see if he can find his old statements from his old card, blah blah blah, BS, BS, BS that has nothing to do with a DAMNED RECEIPT! He changed ALL of her accounts, gmail, facebook, instagram, everything! Is there is anything we can do to get this phone back from this piece of …….? Restoring it from iTunes doesn’t work. It just keep saying the phone was lost and erased.

    • Thomas says:

      If the phone was using your daughter’s Apple ID, then she needs to follow the directions in this article to make sure she regains access to her Apple ID and then uses that to unlock the phone.

      If the phone was logged in to her ex-boyfriend’s Apple ID, you may as well send the phone back to him or recycle it. As far as Apple is concerned, it’s his phone, and they will not help you regain access to it.

  • Soitsdone says:

    So someone txt me and said they liked my quotes which I wrote in notes on my iPhone.
    Do you have any idea how they hacked my phone?
    Are thy able to do it by only a phone number or could it have been through an email they sent me ?

  • Ian says:

    My iPad and iPhone have been hacked by a disgruntled childish family member.he has also taken over all of my emails Facebook iCloud and all my ex partners too is there any advise how we can get this full blown idiot off our devices?

    • Thomas says:

      The article above will tell you how to regain control of your Apple ID (which is also your iCloud account) and lock this hacker out. As for your e-mail and Facebook, the response there will be similar: change the password, or contact the providers of those services if you no longer have access to your accounts.

      • krishna says:

        they hacked my device but cannot close my find my iphone so i cannot format my iphone so how to clear it they change my password cannot do any thing please help me…………
        my ipad oso linked by the mail i cannot activate my ipad
        please………………………………… help me………………………..

  • Melis says:

    I just went through a not so friendly divorce and I believe my now ex some how hacked my phone through our iCloud account during the litigation. We shared our apple account and I had erased/locked the phone through the find my phone. At one point I had clicking sounds during phone calls, weird texts that get sent multiple times to friends. I have reset my phone three times, and changed passwords on all my accounts multiple times but still feel something is off. The last reset was in July. I get asked to renter my password often at random times weekly… Is normal? I don’t recall ever having to put in my iCloud password so much. I feel I’ve used the steps you outlined above.

    I don’t backup to iCloud and now only use it for contacts, photo, and calendar

    Thank you for any advice!

  • Chloe says:

    I shared an Apple ID with my brother so he can download apps on his phone but does this mean he can access my pictures,messages ect..? I’ve changed my Apple ID password now so will that log him out of my Apple ID?

  • bea says:

    This morning I received an email from Apple stating that “Your Apple ID was used to sign in to iMessage on a MacBook Air 11″ named (name of the computer I always use).”
    My exact login time this morning was listed as the time stamp.

    Why would Apple ID treat the only laptop I use as a new device? Was I hacked?

    Thank you.

    • Thomas says:

      This is not likely to be due to a hack… probably just a glitch in your system, or perhaps you have never used iMessage on that system or declined to enter a password for iMessage at some point.

  • Luis says:

    Hi, just want to ask
    Apple is rejecting my password (known to be entered properly) rejecting security info
    Redirected to password reset page with confirmation of email sent displayed
    No email received
    And i tried to reset it by answering security questions but its rejecting my birthday information
    I tried to reset my ipad but now im stuck in the activation mode
    It is asking for my apple id.

    Please help how can i recover my apple id. Can applesupport reset it for me.

  • Ash says:

    Is apple able to tell you who was tracking your phone using the find my iphone app

  • Tamar says:

    My Apple ID was hacked and thankfully the support desk helped me quickly recover my account.. But the iTunes Store my account is linked to now is China?! I love in South Africa. Since entering my new password in my iTunes account on my phone a few of my apps are not working. Whatsapp, fb and messenger are “waiting”. What can I do to restore them as they were before? 🙁

  • Do says:

    Apple claims no one using my account and I’m the only one well after 27 password resets in 2 days, 122 resets after 6 days locked out now of my account for to many entries. Countless calls and emails to Microsoft live as well as apple I was final able to get hold of apple to hear my account is fine possibly the class action lawsuit from the models account that were hacked us having a factor in their lame, bs excuse. Check your contacts fir Identified as Spam and delete almond them if you have that’s the entry point as well as any no name contacts. I have ran some SQL files out off app, sync folder and it clearly shows I’m being hacked and the info isn’t making to apples sever and is happing directly through my phines I have 2on one account any help would be appreciated

    • Thomas says:

      If you’re getting e-mails that someone is trying to reset your password, I’m guessing that you haven’t enabled two-factor authentication, since information that only you should have would be required to even start the password reset process. So, enable two-factor authentication, as the article recommends.

  • Charlie says:

    I’m not really aware of how iPhones work yet. Quite new to it. I recieved an email from iCloud support saying my Apple ID was used to sign into my FaceTime and iMessages on 30 September at 4.31. Do they need to know my email address I use for Apple to try and access it? Also, does that mean they were trying to read my messages?

  • Woo says:

    I stupidly opened, by mistake, a message (email) saying my Apple ID is being disabled please click her and then I got an error message… Could this be the start of a hack?? Thank you

  • mik says:

    Hey Thomas!
    How are you? Somehow my password stopped working for my .me account. Tried resetting it but couldn’t because my email is locked without a password. Then went to security questions. Couldn’t remember anything!!! entered so many wrong DOBs that my account is now frozen. Called apple they were of no assistance. They told me without the security answers I’m screwed. Is there any other way to fix this without losing my email address? I use it for biz so this would be a huge disadvantage. PLEASE HELP !!!!

    • Thomas says:

      Only Apple can help, and honestly, if you don’t know the password or the security question answers, they’re not going to help you. It would be a HUGE security issue if Apple were to give access to accounts to someone who didn’t possess any of the required information needed to access the account.

  • eanu says:

    i have a cousin who is not the most brainy of types, she had a bf who made an email account for her, who also made an apple id for her. she bought him and herself two iphones, though recently after a bad breakup he decided to log in to her apple id and change her password, plus he disabled her account. The only information she has with her is her serial number and her phone, which is disabled. Could you tell me if he can delete her contacts without using her phone, and if he can use itunes plus make purchases? plus a way she can start using her phone again.

    • Thomas says:

      If he created the Apple ID and knew the password, he can easily lock her out of it, and thus all her data and her phone. She will need to contact Apple support for assistance, they are they only ones who can help – though, depending on what he has done, they may not be able to help.

  • Tammy says:

    PLEASE HELP ME.

    I made a apple account quite a bit ago when I had a Ipod touch, and I got a email on October the 20th saying I have been buying films etc but it went to my junk mail so I didn’t realise.It has came up to £48.98. I have changed all passwords and things but I don’t know who to contact to say it wasn’t me and to see if I could get my money back..?

    My friend said ‘ Get in touch with your bank and say you didn’t authorise the transactions and they should cancel them and you may get your money back’ WILL THIS WORK???

    • Thomas says:

      Contact Apple to dispute the charges first. Contact your bank if Apple can’t or won’t help. And actually, before you do any of that, follow the instructions in this article to secure your Apple ID!

  • sam says:

    Help! My apple id got hacked a week ago while I was at camp. Today I came back and saw an email saying my apple id email, name everything has been changed. I created the account back in 2010 and I still have the verification email. And no, I didnt bother to remember the recovery code since Im mostly using an android devive.

This post is more than 90 days old and has been locked. No further comments are allowed.