Marko Karppinen

I make digital magazines profitable at Richie.
You should also follow me on Twitter here.

My Apple ID episode from 2008

This entry was originally posted to the MK&C company blog on July 8, 2008. It has been reprinted here as the company blog is no longer available.

Apple just gave out my Apple ID password because someone asked

I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn’t mine. Luckily, my “security question” was still the same, so I was able to reset the password and email address back.

Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

To which Apple reacted by doing the only reasonable thing – saying Sir, Yes Sir! and handing my account over. Here’s the email I just sent Apple:

Dear ADC,

You have reset my password based on a request by someone other than me. Rather than checking if the requester was actually me by comparing the information in their personal profile, you have allowed a third party access my Apple ID for no reason whatsoever.

I tried to log in today and saw that my password had been changed, and the email address associated with my account changed to “marko.[redacted]@yahoo.com”.

Apparently based on a single-line email inquiry, you have allowed a third party access to:
- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program’s Program Portal, including details of our development team

Frankly, this makes me so angry that I can’t see straight. Did it not occur to you at all that someone at “marko.[redacted]@yahoo.com” was not actually me? For example, because the names didn’t match?

Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?

With best regards,
Marko Karppinen

Update: A few hours after posting this, a team lead from Apple Developer Connection’s European support organization called me, apologized for the mess, and assured me that they don’t normally operate this way. He promised to find out if Apple can determine, based on their logs, where and how my Apple ID was used in between the password reset and myself discovering all this about 12 hours later. I know that my .Mac mail was accessed, but luckily I don’t use it for anything other than ADC-related communications. In fact, I’d be home free if it wasn’t for .Mac Sync and some old, unencrypted backups on my iDisk (I’ve since then smartened up and my backups are now encrypted). I hope the logs will allow Apple to confirm that these services were not accessed by the third party.

Then, two days later on July 10, I posted:

How Apple replied to the password reset request

We’re on to day three of this saga, with about 80 000 pairs of eyeballs on this thing. No word from Apple yet. Meanwhile, some people have asked for clarification and/or called BS on this, so I thought I’d post the email that Apple sent in response to the password reset request. This email was in my .Mac mailbox while the password reset emails mentioned apparently went to the yahoo.com address.

The account continues to get password reset requests, but as people have pointed out, those are harmless unless someone at Apple overrides the procedure manually. Also, to those who asked: my security question and answer are a meaningless challenge/response pair — there is no chance that someone guessed the answer.

Please include the line below in follow-up emails for this request.

Follow-up: [redacted]

Re: ADC account

Dear Mr Karppinen,

Thank you for contacting the Apple Developer Connection regarding your ADC membership account.

Please accept our apology for the delayed response.

In reviewing your information, I have found the following account:

Marko Karppinen 
MK&C 
Email address: [redacted]@mac.com 
ADC Premier Membership 
ADC Member number: [redacted] 
Apple ID: [redacted]@mac.com 
Last Login Date: 04 Jul 2008

Please know that I updated your email address for you to: marko.[redacted]@yahoo.com.

Furthermore, the password for your ADC account has been reset. You will receive two additional emails from Apple. One will contain your login account name, the other will contain your new temporary login password.

Once you have logged in with the temporary password, you will be presented with a “Password Expired” page. Enter the temporary password as the “old password” and select and enter a new personal password of your choice as the “new password”.

After you have logged in, please take a moment to review the information in your account profile to ensure the information is up to date.

Please know that it is possible to reset your password yourself online. We have included this process below:

1) Go to the Member Site at http://connect.apple.com
2) Enter your Apple ID and select the “Forgot Password” button. 
3) Enter your Date of Birth. 
4) Choose your password reset option.

—The easiest option is to have your temporary password emailed to the email address listed on your ADC account. You also have the option to reset your password online by answering the challenge question you chose when you created your ADC account.

I hope this information is useful to you. Please let me know if you have any questions or need further assistance.

Best regards,

[redacted]

Apple Developer Connection 
Worldwide Developer Relations

Inquiry from marko regarding Reset Password 
Email address: [redacted]@mac.com 
Region: Europe

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com