Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Now Sending Alert Emails When iCloud Accounts Accessed via Web

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,581
13,207



In an interview last week, Apple CEO Tim Cook noted that Apple would be beefing up iCloud security measures in response to the recent disclosure of compromised celebrity accounts. Among the additional security features said to be rolling out over the following two weeks were new email alerts whenever there is an attempted password change, a device restore from the account, or a login from a new device. Password change and login alerts had previously only been sent when the event took place on an unknown Apple device.

As noted by Letem sv?tem Applem and confirmed by MacRumors, Apple has already begun sending out alert emails when iCloud accounts are accessed via web browsers. The alerts are being sent out even if the specific browser has been used previously to access iCloud, but this is presumably a one-time measure that will not be repeated for future logins with that combination of browser and machine.

With Apple rumored to be announcing a mobile payments service at tomorrow's event, it is clear the company needs to reassure users that the company is taking security seriously. While the compromised celebrity accounts were targeted attacks rather than a wholesale breach of Apple's iCloud systems, the company's move to enhance security and keep users informed is an important one.

Article Link: Apple Now Sending Alert Emails When iCloud Accounts Accessed via Web
 

X-X

macrumors 6502
Aug 22, 2014
401
9
Apple Email:

Someone just stole all your data.

You can reset your password now.
 
Comment

DipDog3

macrumors 65816
Sep 20, 2002
1,185
679
Apple should place access from new devices on a 24 hour delay unless the email is acknowledged. That way you can stop people from stealing your data instead of reacting after the fact.
 
Comment

BruiserB

macrumors 68000
Aug 9, 2008
1,628
535
If the e-mail associated with your account is your @icloud.com email, wouldn't the unauthorized person have access to this email account via logging into icloud and then they would simply be able to delete the alert email as soon as they log in?
 
Comment

Toltepeceno

Suspended
Jul 17, 2012
1,807
554
SMT, Edo MX, MX
If the e-mail associated with your account is your @icloud.com email, wouldn't the unauthorized person have access to this email account via logging into icloud and then they would simply be able to delete the alert email as soon as they log in?

I didn't think you could associate your icloud.com email with your icloud account.
 
Comment

isepic

macrumors member
May 10, 2008
36
10
If the e-mail associated with your account is your @icloud.com email, wouldn't the unauthorized person have access to this email account via logging into icloud and then they would simply be able to delete the alert email as soon as they log in?

Exactly what I was thinking, however, they don't send the email immediately. It appears to go out hours after the fact. Which is both good, and bad I suppose. Maybe they should also send SMS / iMessage too.
 
Comment

Madonepro

macrumors 6502
Mar 16, 2011
403
288
Apple should place access from new devices on a 24 hour delay unless the email is acknowledged. That way you can stop people from stealing your data instead of reacting after the fact.

As most of the time you would be using a 'device' to access iCloud services, when access is attempted via a browser, could they not use the verification in place with the apple id. In other words, send a code via your authorised devices to allow log in. No code, no access!
 
Comment

EdgardasB

macrumors 6502a
Apr 14, 2014
618
80
Lithuania
Doesn't work for Lithuania... -.-' Apple doesn't care about smaller countries like always...even two-step verification doesn't work...
 
Comment

tzeshan

macrumors regular
Dec 12, 2009
205
3
The most secure way is the following that many financial company has been doing. When trying to access iCloud via a web browser, Apple should send an authorization email to the user with a dynamic code.
 
Comment

BruiserB

macrumors 68000
Aug 9, 2008
1,628
535
If the e-mail associated with your account is your @icloud.com email, wouldn't the unauthorized person have access to this email account via logging into icloud and then they would simply be able to delete the alert email as soon as they log in?

I just confirmed this works. I logged into my icloud.com account. Within a few minutes I had the warning e-mail in my icloud mail. I deleted it from the web interface and looked at my phone and there is no evidence of me having received the email.

EDIT: Actually I can look in the Trash for my icloud email on my phone and see it there. But if I had deleted it from the trash in the web interface, it wouldn't show there either.
 
Comment

jrlcopy

macrumors 6502
Jun 20, 2007
484
373
Wish they followed all the other websites, google, facebook, etc. and include the location in the email.

It makes it an easy way to help the users be sure that it wasn't them that logged in.
 
Comment

Serban

Suspended
Jan 8, 2013
5,159
926
seems that works even in EU. But you get the email after 4-5 minutes after you signed out
 
Comment

wesk702

macrumors 68000
Jul 7, 2007
1,808
366
The hood
Unfortunately for the population that is most susceptible to these attacks use the same password for email and icloud as well as everything else.
 
Comment

charlituna

macrumors G3
Jun 11, 2008
9,633
815
Los Angeles, CA
Apple should place access from new devices on a 24 hour delay unless the email is acknowledged. That way you can stop people from stealing your data instead of reacting after the fact.

That will go over great. My 6 year old nephew drops my iPhone in the toilet and I have to go get a replacement. But to 'protect my data' I can't have any of it for 24 hours after I log in. So for that day I can't load my backup, access my contacts etc. Why the hell did I backup to iCloud anyway.

Oh wait, iCloud is shiiiiite anyway so why would I. I should be doing it on my computer which is far safer blah blah.

----------

I didn't think you could associate your icloud.com email with your icloud account.

how do you think you get an iCloud.com email. either it is your apple id or you add it to your apple id and it logs in when you log in that account

so to answer the question yes if your log in is an iCloud.com email the 'hacker' could just delete the warning email. And thanks to the joy of imap it would be deleted on all devices etc. just have to make sure you access the account at a time when the true owner isn't as likely to be looking at devices like the middle of the night
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.