Apple is forcing ID password resets on users and nobody knows why
I woke up early this morning, and, like millions of others, the first thing I did was check my iPhone for messages, weather reports, and news. Unlike every other day, however, I found myself logged out of my Apple ID and was required to not only enter my password again but change it for a new one. It appears I am not alone, with one security expert warning users to be diligent during this confusing situation.
Although the Apple system status page reports no issues at all, that appears to be far from the truth of the matter. A quick scan of social media is all it takes to realise this is happening on a grand scale. Indeed, my colleague Zak Doffman, who also contributes to the cybersecurity section of Forbes tells me he had the same thing happen.
04/28 update below. This article was originally published on April 27.
The problem appears to have started late Friday, 26 April, with reports of users being logged out of their Apple IDs. This is not device-specific and seems to be impacting users of iPhones, iPads and MacBooks.
As a security-minded person, I immediately thought something might be amiss as there have been some recent attacks that have involved password resets. However, as my colleague Kate O’Flaherty reported in March, these rely upon a method of two-factor authentication ‘bombing’ whereas the current situation is a straight ‘reset your password’ without anything else being involved. The 2FA bombing attackers would follow-up with a call pretending to be Apple Support, but I have had no such call and have not read reports of anyone else getting them either.
The issue also means that users will need to not only log back in on all devices but reset all app-specific passwords as well. Currently, it is not known if this is a bug or a security incident. I have asked Apple for a statement and will update this breaking story as soon as I have more information.
“When anything arrives out of the blue, such as a password reset or One Time Password request, it is important to investigate further and research where possible before following any given prompts,” Jake Moore, global cybersecurity advisor at ESET, said. “This seems like it is a genuine bug as so many have been involved. Although a pain, it is actually often a good idea to reset all connected devices and change a password every so often or when there has been a data breach. However, due diligence is vital when dealing with unsolicited notifications and MFA should be turned on by default for all accounts.”
04/28 update: Many readers have been contacting me regarding applications that are no longer syncing via iCloud since they were logged out of their Apple ID accounts and forced to reset their passwords. I did mention this, albeit not in those words. At the core of this problem is the fact that third-party applications needing access to such information as calendars, contacts and mail stored in iCloud require an app-specific password to do so securely. Apple says that this is “to help make sure that your Apple ID password can't be stored or collected by the app.” The forced Apple ID password reset has invalidated these app-specific passwords which need to be newly generated for any application requiring them. Apple’s support documents state that “Any time you change or reset your primary Apple ID password, all of your app-specific passwords are revoked automatically to protect the security of your account. You need to generate new app-specific passwords for any apps that you want to continue using.”
Luckily, this isn’t an overly complex process, but it is time-consuming if you have many third-party apps that need app-specific passwords reset.
First sign into your Apple ID account on the web appleid.apple.com and then look for the Sign-In and Security section where you should scroll to the bottom and select the App-Specific Passwords option.
This allows you to generate the new password by following the instructions shown. Once the app-specific password has been generated you simply paste it into the password field of the associated app when it pops up an input box requesting this.
You can only have a maximum of 25 of these app-specific passwords, so you might as well take the opportunity to revoke any that are no longer needed. To do this, head to the Sign-In and Security section of your Apple ID account. From here, you can delete your passwords individually or the whole lot if you really want to start afresh. From a security viewpoint, it’s recommended that you regularly revoke unused passwords such as this, as otherwise, they leave a potential attack vector open.
