The Mac Security Blog

Apple

Mysterious Apple ID password resets: What we know, and how to protect your account

Posted on by

Late Friday, April 26, a large number of Apple users discovered that their Apple ID accounts were locked, and they needed to reset their passwords. Here’s what we know about what happened, and its consequences.

In this article:

  • The lockout
  • Signing in again
  • Apple’s lack of response
  • The risks of the Apple ID: a single point of failure
  • How can I learn more?

The lockout

When I woke up on Saturday morning in the UK, the first thing I saw was a screen on my Apple Watch telling me I needed to sign into my Apple ID. This was surprising, since I wear my Apple Watch to track my sleep, and I was still in Sleep focus mode where the display was turned off. When I looked at my iPhone, I saw a similar notification telling me to sign into my Apple ID.

This can happen if a user makes too many erroneous sign-in attempts, or if someone tries to get into another user’s account. This was apparently not the case, however, because a large number of users were affected by this problem.

When I went to sign in with my Apple ID and password, I was told that my account was locked for security reasons, and then I needed to reset the password. I did this, and, of course, I later needed to enter this new Apple ID password on all my devices: three Macs, two iPads, an iPhone, an Apple Watch, and some HomePods. And I had to re-sign into Apple Music, though, surprisingly, I did not need to do this on my Apple TV. Some users reported that they needed to re-pair their AirPods, but I did not have that issue.

When I looked on my RSS reader, I saw an article saying that Apple users are being locked out of their Apple IDs with no explanation. Apparently, for many people, it started around 8pm Eastern time and affected users around the world. The first reports we’re aware of came a little before that; one person posted on X about it at 7:42pm Eastern. There’s no reliable way to estimate how many were affected, but forum threads and comment sections suggest that it was widespread. We’re aware of people from multiple countries whose accounts were locked.

Signing in again

For many users, there was just the annoyance of re-authorizing multiple devices and creating new app-specific passwords for third-party apps that access iCloud data. But for some, it was more problematic. Michael Tsai explains that, since he has Stolen Device Protection enabled on his iPhone, and it didn’t recognize “the location of the home/office where the phone spends nearly all its time and which is identified as Home in Apple Maps, Contacts, and Find My,” he had to wait one hour before being able to reset the password. As Apple says, “Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as your home or workplace,” but in Michael Tsai’s case, the only location shown was “the grocery store that I go to once every two weeks.”

John Gruber on Daring Fireball points out a similar problem with significant locations. He says, “the only two ‘Significant Locations’ listed […] are ‘Work’ and my favorite (and truly oft-visited) grocery store. But the ‘Work’ location is centered three entire city blocks (~0.2 miles) from my home, which leaves my home just outside the radius that counts as that location. Luckily I wasn’t hit by this account lockout, but this also reassures me that I’m right to not yet have enabled Stolen Device Protection.”

It’s not clear how these significant locations work. You can turn this setting on and see some information by going to the well-hidden settings at Settings > Privacy & Security > Location Services > System Services > Significant Locations. (You’ll have to scroll to the bottom of a couple of lists to find this.) My iPhone shows one recent location, a Costa Coffee in a small shopping center. I never visit Costa Coffee, though I go to the Waitrose supermarket in that shopping center, a couple of times a week.

Significant Locations shows 55 records on my iPhone, but it only shows one recent location. There’s no way to tell the iPhone which locations you want to consider significant, such as your home or work location, so if you have Stolen Device Protection on, you’re at the whim of Apple’s location services.

Apple’s lack of response

Given that this issue impacted Apple users from all over the world, one might expect that Apple would respond and explain what happened. Many users were worried that someone had accessed their accounts and rushed to reset their passwords, thinking that their data could be stolen.

It’s still unclear how many users were affected. But users in many countries had this password reset, and some people even reported this problem occurring as late as Sunday. At the time of this writing, in the early morning hours of Monday, April 29, Apple had said nothing. When this article was last updated on Thursday morning, Apple still had not acknowledged the issue.

The risks of the Apple ID: a single point of failure

This event points out one of the risks of the Apple ecosystem revolving around and entirely depending on an Apple ID. As more people depend on iCloud, getting locked out of your Apple ID can have devastating consequences. Without access to your Apple account, cannot use iCloud email, iMessage, or FaceTime without this account. You cannot access personal or even work documents if you store them on iCloud. And you cannot use third-party apps that depend on iCloud, such as a calendar or contacts app.

But, for now, Apple has not really given us any alternative. Your entire personal Apple ecosystem revolves around your Apple ID, so make sure you protect it by using a unique password and two-factor authentication.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →