I woke up early this morning, and like millions of others, the first thing I did was check my iPhone for messages, weather reports, and news. Unlike any other day, I found myself signed out of my Apple ID and not only asked to enter my password again, but to change it to a new one. Looks like I'm not alone.
although Apple System Status page No reports of any problems at all, and that seems far from the case. A quick scan of social media is all it takes to realize this is happening on a massive scale. In fact, my colleague Zach Duffman, who also contributes to Forbes' cybersecurity section, told me the same thing happened.
The issue appears to have started late on Friday, April 26, with reports of users being logged out of their Apple IDs. This is not device specific and appears to affect iPhone, iPad, and MacBooks users.
As someone who cares about security, I immediately thought something might be wrong since there have been some recent attacks that involved password resets. However, as my colleague Kate O'Flaherty reported in March, these rely on a “bombing” two-factor authentication method whereas the current situation is to directly “reset your password” without needing anything else. The two-factor authentication bombing attackers were following up with a call pretending to be from Apple Support, but I never received such a call and haven't read reports of anyone else getting one either.
The issue also means that users will not only need to log in again on all devices, but they will also need to reset all app passwords. Currently, it is unknown whether this is a bug or a security incident. I've asked Apple for a statement and will update this breaking story as soon as I have more information.
“When anything comes up out of the blue, such as a password reset or one-time password request, it's important to conduct further investigation and research where possible before following any specific prompts,” said Jake Moore, global cybersecurity advisor at ESET. “This seems to be a real bug that many have been involved in. Although it is painful, it is actually a good idea to often reset all connected devices and change the password every now and then or when a data breach occurs. However, care is taken Due diligence is vital when dealing with unwanted notifications and MFA should be turned on by default for all accounts.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”