Why you got a ‘Use this iPhone to reset your Apple ID password?’ alert

On the second day of 2020, awash in the possibilities of a new year — nay, decade — my iPhone pinged with a notification that came from out of the blue.

“Use this iPhone to reset your Apple ID password?” an official, gray Apple pop-up said beneath an exclamation point icon. I clicked on the notification and it asked if I wanted to “Allow” or “Don’t Allow.” 

Why was my phone trying to get me to reset my password? I hadn’t initiated anything, but this notification from Apple looked legit. 

Only two days into the new year, and it sure seemed like hackers were already trying to break into my Apple account. 

I wasn’t alone. Another member of the Mashable tech team had gotten the message, too. A recent MacRumors forum thread had also garnered dozens of responses from users reporting the same issue. Same story on both Twitter and StackExchange: People wanted to know why they’d gotten this notification and what on earth it meant.

Apple did not respond to multiple requests from Mashable asking for information. It did respond to a concerned user on Twitter, via the Apple Support Twitter handle, with a link to information on what to do if your Apple ID account has been compromised. Gulp.

The real story about what is actually going on here is not as bad as it might seem. Security experts think that hackers were trying to penetrate a spate of Apple ID accounts. But, thanks to Apple’s stringent device-centric and two-factor security measures, the notification actually shows that the hackers could not be successful.

“There’s not really a risk here,” Patrick Wardle, a principal security researcher at Jamf, told Mashable. “It’s less than ideal that attackers have your Apple ID and your phone number. But, luckily, because of the way Apple has moved in recent years, especially after a lot of the celebrities’ iCloud accounts got hacked, they’ve really made a push to use two-factor authentication, and only allow you to change your password via a trusted device. So attackers are, pardon my French, pretty shit out of luck, which is good.”

Here’s probably what was behind the attempted hack. Over the past month, hackers seem to have gotten their hands on a batch of email addresses. Dan Tentler, the executive founder of Phobos Group, says they then engaged in an automated practice called “credential stuffing”: Hackers use a script to plug in the emails to as many places as possible and see what happens. 

Tentler thinks the fact that a bunch of people got these notifications around the same time means they were likely from the same database dump. He points to the recent Zynga breach as a possibility. That hack exposed the usernames and passwords of 170 million Farmville, Words With Friends, and other mobile game players everywhere. 

“What I imagine is happening is that someone is attempting to launch every email address in the Zynga dump at iCloud to see what accounts they were able to get into using the leaked credentials,” Tentler said. “Tons of people are all getting this message because their iCloud accounts are signed up with the same email address they used for Zynga games.”

Bet you regret building your agrarian empire now, farmvillers!

Once the credential stuffers start working with the stolen credentials, they get plugged in to iCloud accounts. This prompts a password reset, which sends the aforementioned scary-looking notification to your phone. But, again, the fact that it’s sent to your phone means that your device is secure.

“The good news is that the actual password reset process is controlled by the legitimate user’s devices,” Ivan Rodriguez, a security researcher, told Mashable. Rodriguez simulated the path a hacker might take to access an Apple ID account and found that, even if they try to move forward without authorization from a trusted device, “they’ll eventually land on a site that sends an SMS to the phone number registered with the account with a 6-digit code.”

The only fly in the ointment is that this scheme could help hackers pair an Apple ID with a phone number if they get confirmation that a reset has been set. But, again, without access to the “trusted device,” that information is pretty useless.

So what should you do if you received the notification? You can simply press “Don’t Allow” and the reset process will stop. Or, if you press “Allow,” you can reset your password yourself, which is always a good thing to do regularly, anyway. That’s especially important if you use the same password for multiple accounts.

“The average user is most likely to have their accounts breached via these kind of large scale breaches if they are reusing the same passwords,” Wardle said. “If you signed up for some crappy free iPhone game and then use the same password for your Gmail account, that’s how hackers can kind of pivot from one account to the next.”

We can’t know for sure where the leaked database came from, or whether the ultimate goal was to breach iCloud accounts, or pair phone numbers with emails. But either way, if you received this notification, your account is secure.

“I don’t know if this is part of a scheme to identify email/phone number pairs, or someone has a recent (or even old) leak that contains emails and phone numbers and they are trying to take over accounts,” Rodriguez said. “Luckily, Apple generally does a great job when it comes to securing user accounts.” 

Phew!