Apple is forcing users to reset their ID passwords, but no one knows why
I woke up early this morning, and like millions of others, I checked my iPhone for messages, weather, and news. However, unlike usual, I found myself logged out of my Apple ID and had to not only re-enter my password, but also change it to a new one. Apparently I'm not alone.
Apple's system status page doesn't report any issues, but that seems far from the truth of the matter. A quick check of social media shows this is happening on a massive scale. In fact, my colleague Zach Doffman, who also writes for Forbes' cybersecurity section, says the same thing happened to him.
Updated on 04/28 below. This article was originally published on April 27th.
The issue appears to have started late on Friday, April 26, with reports of users being logged out of their Apple IDs. This is not device-specific and appears to affect iPhone, iPad, and MacBook users.
Recently, there have been several attacks involving password resets, and as a security-minded person, I immediately wondered if something was wrong. However, as my colleague Kate O'Flaherty reported in her March, these rely on her method of “bombing” two-factor authentication, whereas the current situation is It's a simple “password reset” that doesn't involve anything. 2FA bombers sometimes follow up with calls pretending to be from Apple Support, but I have never received such a call and have read reports of someone else receiving one. there is not.
This issue means that users not only need to log back in to all devices, but also reset all app-specific passwords. At this time, it is unclear whether this is a bug or a security incident. I have requested a statement from Apple and will update this bulletin as soon as I have more information.
Jake Moore, Global Cybersecurity Advisor at ESET, says: “If you receive something out of the blue, such as a request for a password reset or one-time password, it's always a good idea to investigate further and research as much as possible before following the instructions. It’s important.” “This appears to be a genuine bug since so many people are involved. Although annoying, it actually resets all connected devices and sometimes or when a data breach occurs. However, due diligence is essential when dealing with unsolicited notifications, and MFA should be enabled by default on all accounts.
Update 04/28: Many readers have contacted me about apps no longer syncing via iCloud since they were logged out of their Apple ID accounts and forced to reset their passwords. I mentioned this, although not in those words. At the heart of this issue is the fact that third-party applications that need to access information stored in iCloud, such as calendars, contacts, and email, require app-specific passwords for secure access. . Apple says this is to “prevent your Apple ID password from being stored or collected by the app.” A forced Apple ID password reset disables these app-specific passwords and requires you to generate new passwords for any applications that require them. Apple's support document states, “When you change or reset your Apple ID primary password, all app-specific passwords are automatically revoked to help protect the security of your account.” For any apps you want to continue using, you'll need to generate new app-specific passwords. ”
Fortunately, this isn't a very complicated process, but it can be time-consuming if you have a lot of third-party apps that require app-specific password resets.
First, sign in to your Apple ID account on the web appleid.apple.com, then look for the “Sign-in & Security” section, scroll to the bottom and select the “App-specific password” option.
This will allow you to generate a new password by following the steps provided. Once an app-specific password has been generated, simply paste it into the relevant app's password field when an input box pops up requesting it.
You can only have a maximum of 25 of these app-specific passwords, so we recommend taking the opportunity to revoke any passwords you no longer need. To do this, go to the Sign-in & Security section of your Apple ID account. From here, you can delete passwords individually, or delete them altogether if you really want to start over. For security reasons, we recommend that you periodically revoke such unused passwords. Otherwise, potential attack vectors remain open.
