iPhone dev: Apple gave out my password
Marko Karppinen, an ADC Premier member, iPhone developer, and user like the rest of us, had his personal information released by Apple to an unknown third party, simply because of this one-line email:
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
Apple -- apparently with no additional research -- reset Karppinen's password, and changed the email address on the account to the perp's. As a result of the login change, the perp had access to Karppinen's credit card details, developer software seed key, and the contents of his iDisk.
Karppinen, understandably, was livid, and sent ADC an email about what happened. A team lead from ADC's European support organization contacted Karppinen, apologizing for the mix-up. The rep promised to find out (from Apple's own logs) what information was compromised.
Apple has so far not commented on the incident, outside of what Karppinen says the ADC rep told him. It's unclear what Apple will do in the future to prevent this from happening again.
[Via Daring Fireball and The Consumerist.]
Share
Categories
Marko Karppinen, an ADC Premier member, iPhone developer, and user like the rest of us, had his personal information released by Apple to...
Add a Comment
Social engineering attacks are devastatingly effective.
July 09 2008 at 3:57 PM Report abuse Permalink rate up rate down ReplyThat's the guy who developed Nokia Multimedia Transfer.app!!
I'm sorry for him, hope everything got solved in the end
Apple IDs are known targets of crooks. Someone has been trying to guess my password recently, written up at spamwars.com/archives/2008/07/an_unnerving_pa.html.
July 09 2008 at 1:56 PM Report abuse Permalink rate up rate down ReplyUpdate 2: So it's soon 48 hours after the password reset, but no further contact from Apple. Perhaps I should let them know that, so far, 65 000 people have seen this and many might be wondering how Apple will end up handling the case?
Yeah, go on and try to get something for free. Isn't that what you are after? So exactly 65 000 people saw this. And how many commented?
His story is pathetic and so is the entire issue.
Can we stop paying attention to this bs...
Apple obviously plans to give out everyone's user data in the future. That's what the Mobile Me switch is all about. They are the new AOL.
That's why the whole world needs to know.
A security issue must always be discussed as openly as possible.
To all idiot commenters above who never understood the story:
Marko Karpinnen is person who has an ADC account. One day, he logs in to his ADC membership account and couldn't log in because his password was invalid. Marko says hmm, so we he went on to reset his password by going through the ADC site's password reset. His security question response was accepted and he was successful in resetting his password. Now confused, he began looking into his ADC account and finds out that it had been accessed by someone else. He also noticed that his account is now owned by a person with an email marko.blablah@yahoo.com. While it looks like his because his name is also Marko, it's not actually his e-mail. He also discovered that his .Mac e-mail accounts was accessed. To his surprise, one of the e-mails there is an auto reply from the Apple servers that someone requested a password reset through the ADC feedback web form. The actual message sent through the form was the "am forget password of mac..." statement you see above. He then began securing all his other accounts that he might have thought had been linked to his ADC. Since he only uses his .Mac email for ADC business, he says the damage was minimized, but yet to see the full magnitude of the situation. He then contacts Apple with the details of the events and had since been touched once by someone from the Apple team. Marko is still waiting for more explanations from Apple.
Okay, this is not just one person craving for attention. It was a legitimate concern and he posted this event due to his frustration with the situation. Imaging the stress someone has to go through when personal (or even worse financial) info gets compromised. Take it or leave it. If you think Marko is an attention whore, then move on. I am as skeptical as everybody else, but let's keep an open mind and have patience as we wait for the whole thing to unfold. The best thing to do is to bookmark his blog post because he's updating it for sure.
Thank you for a nice summation of the full story.
I understand the concern when someone accesses your personal data somehow. One of my credit cards (the one I use for just about everything) recently had four unauthorized purchases made on them, two of the were $380 cash withdrawals at a couple of 7-11 ATM machines.
It's a mystery to me how it happened. My credit card was in my wallet, and I don't even have a pin for cash advances on the card, yet someone made a copy of my card and somehow got a working pin. Strange, huh? I'm not too concerned about it, the credit card company caught the charges and called me about it to deactivate the card, and I am not liable, but now I have this creeped out feeling about what other personal and financial information is out there, and how it was obtained.
This isn't the first time this has happened to me; I've had two different credit card numbers stolen over the last thirty years (one was an Amex stolen out of the mail at the Navy base I worked at in the 80's and the other an online purchase with a visa card a few years ago). Those incidents weren't as disturbing for some reason. I guess it's just a sign of the times we live in.
Time for LifeLock? ;-)
I don't know what is worse: the poor grammar in the email, or the IDIOT who works at Apple. Can I have a high paying job at Apple too? I promise to be a complete moron and screw things up just as fast as I can.
July 09 2008 at 1:22 PM Report abuse Permalink rate up rate down Reply"As a result of the login change, the perp had access to Karppinen's credit card details..."
Unless you count the last 4 digits of a credit card number as "details", that's patently untrue.
Apple does not allow you to view your CC details through your account other than the last 4 digits.
It is true that he could have used the stored card data for iTunes Store purchases, but that's about all.
Alright already. Enough with this stupid story. It's been on Digg, it's been on consumerist, it's been on AppleInsider, it's been on CultofMac, it's been onMacRumors, etc etc etc.
How many sites need to post the same daggone story?
To those who aren't understanding it: a phisher sent that forged email directly from his own email account to apple saying "Hello, I have lost my password, can you send me login info for my account, and change it to match this email marko.[redacted]@yahoo.com?" and Apple did without checking anything, let alone the horribly broken grammar.
And to the guy who asked why you'd store your credit card anywhere, it's because he had to to use their services.
All your passwords are belong to us.
July 09 2008 at 12:54 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
27 Comments