What to do if your Apple ID has been hacked

Apple IDs are a popular target for hackers. This is not only because Apple devices have become so popular, but also because Apple IDs typically provide purchasing power. With an Apple ID, a hacker can purchase music and movies in the iTunes Store or apps in the iOS App Store or Mac App Store on someone else’s dime. Typical symptoms of an Apple ID hack are a sudden inability to log in or strange purchases showing up in your purchase history or on your iOS device. So what do you do if you believe your Apple ID has been hacked?

Effects and Causes

Before discussing how to undo the hack, it’s critically important to understand why dealing with a hacked Apple ID must be done quickly. I’ve seen people who have allowed their Apple IDs to remain hacked for months before bothering to do anything about it. This allows the hacker to continue making purchases with your Apple ID, sending e-mail messages or iMessages as you, accessing your iCloud data, etc. However, there’s an additional problem that most people are either unaware of or don’t think about.

The anti-theft features of Mac and iOS devices involve your Apple ID, and can be abused by someone with access to your Apple ID. Your Apple ID could be used to remotely erase your Mac or iOS devices, which could be a disaster if you don’t maintain a good set of backups. Worse, in iOS 7, your Apple ID can be used to lock your iOS device in a way that cannot be bypassed – even by erasing the iOS device – without access to the Apple ID. If the hacker manages to permanently lock you out of your Apple ID, which can be done in a 3-day period using two-factor verification (more on this shortly), then he/she can then permanently lock your iOS 7 devices!

In other words, if you believe your Apple ID has been hacked, you need to respond quickly and decisively to regain access and lock the hacker out. Failing to do so could cause you to lose all purchases made with your Apple ID, lose all your data and even turn your iOS 7 devices into expensive paperweights!

The first thing most people want to do is scan for viruses, but there is actually little point to doing that. On the Mac, there is very little malware out there, and I’ve never heard of a single confirmed case of an Apple ID being stolen through an infected Mac. On iOS devices (ie, iPads, iPhones and iPod Touches), there is no known malware capable of affecting them unless they have been jailbroken (ie, hacked to disable security in order to download apps from outside the App Store). Further, due to the security features that prevent malware, there is also no anti-virus software capable of scanning an iOS device. If you are using your Apple ID on a Windows machine, keyloggers are possible, but that’s a matter for your Windows anti-virus software and your local Windows tech.

Apple IDs are typically hacked through other means. Some (though certainly not all) possibilities are:

If your password is a poor one, it may fall to simple brute-force attack by a botnet.

You could be fooled by one of the many Apple ID phishing scams circulating, in which you receive an e-mail message that is supposedly from Apple, but when you click the link provided in the message, you end up on a fake Apple site that harvests your login information (if you enter it there).

The e-mail address associated with your Apple ID might have been hacked, possibly allowing a password reset. (The exception here is if you are using an @me.com or @mac.com address as your Apple ID, in which case the address and the Apple ID are the same… hacking one means hacking the other.)

Your password may have been stored insecurely, such as on a Post-It note in your office that any passers-by can see or in a plain text note in some online account that has been hacked.

Your password was the same as that used by some other account you own that was hacked first.

Another account was hacked that gave information about you, such as what your security question answers might be.

Someone with physical access to your devices has installed spyware in order to harass or steal from you. (Yes, this is even a possibility with iOS devices… with physical access, a hacker can jailbreak them, install spyware, then cover up the fact that it’s jailbroken.)

How to undo the hack

If you think that someone with physical access to one or more of your devices has installed spyware, or if you are using Windows and think you’ve been infected with some kind of spyware trojan or virus, you need to deal with that first and foremost. Most people will be tempted to install some kind of anti-virus software and scan for malware, but that is pointless. Anti-virus software cannot detect many of the things that a person with physical access could do. The only meaningful response is to erase any potentially affected devices and reinstall their systems from scratch. Windows users will have to seek help with this elsewhere, but Mac and iOS users can find instructions for doing this here:

http://www.thesafemac.com/how-to-reinstall-mac-os-x-from-scratch/

http://support.apple.com/kb/ht1414

Once your devices are secure, if necessary, you need to change your Apple ID password by logging into Apple’s site for managing Apple IDs:

http://appleid.apple.com

You need to be sure to choose a secure password. The longer the better, and it should contain a mix of upper- and lowercase letters, numbers and symbols. It should also be a password that you don’t use for anything else, and you must not store it in an insecure manner. Use a password manager or other encrypted file (such as an encrypted disk image) to store the password.

If your Apple ID password has been changed, so that you are unable to log in, you can use the “Reset your password” link on that page to reset the password. However, if the hacker has taken over your e-mail account or has changed your security questions, or if you have made the error of forgetting the answers to your security questions, you will need to seek help from Apple:

http://www.apple.com/support/appleid/contact/

Once you have managed to get access to your Apple ID again, you first need to change your security questions. If the hacker knows them or changed them, they could be used to give the hacker access again. Change the questions, and choose answers that are nonsensical (eg, “What was your first job?” “banana slug”) or even completely random. Be sure to make note of the question/answer pairs in a password manager or encrypted file so that you don’t forget them.

None of this can completely rule out the possibility of a future hack, so you need to lock your account down further by enabling two-factor verification. This doesn’t prevent the account from being hacked, but it does establish additional means for verifying that you own the account. Using two-factor verification yourself is particularly important, because if you don’t do so and your account gets hacked again, the hacker could enable two-factor verification in order to take permanent control of the account. Once two-factor verification is enabled, Apple will not help someone gain access to that account.

For more information about two-factor verification and instructions on how to enable it, see:

http://support.apple.com/kb/ht5570

As part of the two-factor verification activation process, you will be given a recovery key. DO NOT lose this key! It will be required to reset your password in the future, if you forget your password. If you don’t have it, and have forgotten your password, you will not be able to regain access to your Apple ID.

Once your Apple ID is secured, you need to turn your attention to other accounts. If your Apple ID uses any e-mail addresses that are not @icloud.com, @me.com or @mac.com, then you also need to change the passwords of those accounts. There is a possibility that one of those accounts was hacked, and was used by the hacker to gain access to your Apple ID. Contact your e-mail provider if you aren’t sure how this is done. Be sure to use a secure password, and do not use the same password as the one you used for your Apple ID.

In addition, if you had any online accounts that used the same password as your old Apple ID password, you need to change all those passwords. Again, be sure to use a secure password, and don’t use a password that you are using for any other account. A password manager can be extremely useful for keeping track of all these passwords, but they should be stored in some kind of encrypted file at a minimum.

Once you have regained control of your Apple ID, changed the password and enabled two-factor authentication, the hacker should be locked out. You can now relax, and hopefully your account will never get hacked again!

Updates

August 10, 2014 @ 7:25 pm EST: I forgot to mention one thing… if your Apple ID has been hacked, you should check your purchase history for unauthorized purchases. This is best done in iTunes on a Mac or Windows computer. In iTunes, choose Store -> View Account and enter your password when asked. In the window that opens, click the See All link in the Purchase History section. If you see a purchase that you didn’t make, you’ll need to contact Apple to dispute the charge. Don’t contact your credit card company to dispute the charge unless you want to be locked out of your Apple ID again. (If the card associated with your Apple ID reports an issue to Apple, Apple will immediately lock the Apple ID to prevent further fraudulent purchases.)

Tags: Apple ID, hack, iCloud