

Apple just gave out my Apple ID password because someone asked - edw519
http://blog.karppinen.fi/2008/07/apple-just-gave-out-my-apple-i.html

======
swombat
Incredible. Someone should probably get fired for this - not the poor sod who
changed the account details, but probably the person in charge of customer
service processes for .mac. That's just... appalling.

I also look forward to seeing Apple's response (or to hearing comments from
any Appleistas on this site?).

------
yan
If that's a an accurate account of what happened, that really is just
unacceptable.

~~~
notauser
It's a good example of why some of us don't trust cloud computing/storing your
data online with any random company.

If the very well funded Apple can screw up this badly, just think what most
places could manage.

------
mattmaroon
Apple just works. Even when you ask for someone's password.

~~~
froo
... now eagerly awaiting a Mac vs PC parody of this event.

Anyone got good suggestions?

~~~
dkokelley
Mac: Hi, I'm a Mac.

PC: (Standing behind windows firewall pictured here:
<http://obligement.free.fr/images/windows_firewall.jpg>) Welcome, commercial
viewer #3113452. Please enter your password.

Mac: PC, what's going on? We're just doing a commercial.

PC: You can't be too safe these days, with viruses and hackers all around the
internet.

Mac: Well, yes, actually. You CAN be too safe.

PC: What do you mean?

Mac: Well, with our new MobileMe (.mac) service, you don't need passwords.
It's all part of our new "Mac Experience" program.

PC: Really? That doesn't sound very secure.

Mac: Actually, it's very secure. You see, in order to log in to your MobileMe
service, all you need to do is contact customer service. By giving out
passwords through customer service, we add an extra level of security through
a human interface. That makes it nearly impossible to make a mistake.

PC: Sounds good. (As he steps around the "firewall") I thought this whole
password-security thing sounded silly.

On screen: MobileMe, you could be anyone.

End

------
bdotdub
I can't imagine anyone acting upon that email. It made no sense whatsoever.
Might as well as "password, please give me at marko.blah@yahoo.com"

That's ridiculous.

~~~
ConradHex
Although, in their defense, what do you think most _legitimate_ support emails
from actual customers look like? This can't have been far off.

But still, their security process has a hole big enough to drive a truck
through.

~~~
bdotdub
True enough. But yeah, definitely should've been a followup, one without the
password to the account.

------
zacharye
Kudos to Apple Support - they responded to that grammatical marvel of an email
so fast!

The poor guy probably will probably need to spend weeks undoing their mess...
Can't wait for Apple's response.

------
ydavid
It's pretty clear that our 'personal' information just isn't so personal
anymore, so I think that it's a good idea for companies that use verification
questions to be very careful to determine that the verification questions that
they use for password reset or identification purposes contain truly 'private'
information. It's scary when I call up a bank and I can get full access to my
account by just giving my account number and my mother's maiden name. Isn't
that information in a database somewhere? If I'm on facebook and my mom is on
facebook, how hard is it to figure that out? Genealogy websites would probably
also be a great help to dig up this info.

My other favorite verification questions are "Where were you born?" and
"What's your birthday?". Hm... these are also Facebook profile questions, and
they're also not so hard to dig up.

I thought that my social security number was private at least, but last week
(no joke) I got a letter in the mail from UPenn saying that a university
researcher's laptop containing my social security number had gone missing. fun
fun.

My recommendation for web developers would be to rely on users having control
of their email accounts and to not allow for "security questions." And if
there is a problem with someone's email account being hacked, speak with the
customer and use your common sense to resolve the situation. You can always
just suspend the account pending the outcome of your 'investigation'. But
please please don't outsource this 'investigation' task to people who lack
communication skills and/or common sense. (e.g. PayPal, eTrade, Citibank &
Dell)

------
dkokelley
Absolutely unacceptable. If anything, the reset password instructions should
have been sent, and nothing else.

On the other hand, Apple now has an incredible PR/customer relations
opportunity. Could you imagine if Apple cam back to him with free products,
free .mac (mobileme) subscription, and a team of people to help re-secure his
information? If that happened to me I would feel that they did their part in
restoring my confidence. I doubt this is an exploitable loophole in account
security as much as it is simply a fluke or blunder on behalf of one man in a
customer support center.

------
jrockway
_am forget my password of mac,did you give me password on new email
marko.[redacted]@yahoo.com_

My response, even if I were a paid customer service rep, would have been:
"What?"

Seriously, "did" instead of "could"? No capital letters? No space between the
comma and "did"? Etc. etc. etc. The mail just doesn't make any sense. Reading
it makes me want to cry.

~~~
Timothee
> did you give me password on new email marko.[redacted]@yahoo.com

The reply was probably: "Yes I did. Apple thanks you for your business"

------
rw
The password was given out, or the password was changed? Encryption, people...

------
s3graham
Hmm, and I thought I was clever when I put that my "mother's maiden name" (or
whatever asinine question they ask) was a GUID. Apparently there's an easy
workaround to my security..

------
bgutierrez
Disappointment #2 is storing the passwords in plain text.

~~~
tlrobinson
Where do you see any indication that passwords are stored in plain text?

The password reset options I see just give you a way to change the password,
not retrieve your existing password.

~~~
bgutierrez
I'm assuming that the writer wasn't making things up when he said that .mac
support gave someone his password.

~~~
tlrobinson
His password was changed, so I would assume .mac support gave the guy a link
to reset the password.

~~~
bgutierrez
I hope so.

------
vaksel
I bet that redacted portion of the email address is Karppinen

~~~
zacharye
He mentions in the post that it was a name other than his own:

"Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com"
was not actually me? For example, because the names didn't match?"

