Privacy when having MBP serviced at an apple store

[stevers]

My girlfriend left her MBP at the Apple store in Lousiville, KY thursday morning for service. She was getting a 3 beep error on startup indicating a memory issue. The diagnosed it to a logic board which needed replacement so she left it there until about 6pm yesterday (friday).

After she picked it up and returned home, she noticed upon opening Safari that her facebook account had triggered an intrusion attempt earlier in the day. Specifically at 3:33 from IP address 12.189.231.73 which a quick whois shows as being registered to Apple. Now, at 3:33 she was attending the Kentucky Derby while her laptop lied "safely" in the hands of the local apple store. Below are screenshots of the messages she encountered (keep in mind her FB language is set to Pirate). In addition, her attempts at contacting the apple store in question resulted in such answers as "anybody could have logged in from any computer in the apple store" to "that was not an apple IP address".

Part of the service call involved her giving the password to the computer, this also happens to be the same password she uses for email and multiple other accounts, however, her facebook password is different.

Has anyone encountered such a privacy invasion and if so how have they handled it? Nobody at the local apple store cares to admit it was possible, yet the person at US tech support admitted it was an apple IP and provided no further assistance. At this point all she is looking for is someone to admit it happened and what may have been done.

Any assistance would be appreciated.

 

[miles01110]

An Apple Store employee probably logged into the machine, launched Firefox, and since your girlfriend's homepage is set to facebook with a saved password it logged in automatically. Or it could have been an errant click of the fb link in the bookmarks bar.

 

[Disc Golfer]

They probably wanted to check their own facebook and hers is set to auto login. There is absolutely no privacy or security when giving your computer over to apple service. If there's personal data on there, including photos, they'll probably see it. If there's music on there they'll probably copy it over to their library as well. Best thing to do is back up everything and install a fresh OS before bringing it in, or at least turn off auto login. And not using the same password for email / bank / facebook / whatever as the login password would be a good choice. I don't think there's anything that can be done in this case other than lesson learned. There isn't anything special about apple service people, they're still randoms that you're handing your data over to.

 

[stevers]

Her facebook isn't set to auto login, nor does it open by default.

Also, she didn't get a screenshot but it said the attempt was made using an Opera browser which she does not have installed. Nor was she able to do much with the unit prior to bringing it in because it would not boot.

The end result is someone attempted to log into her account probably using a password that worked for multiple other accounts from an IP address that traces back to Apple at the same time her laptop was in the possession of an apple store. She is curious why.

 

[chown33]

She is curious why.

She should take her evidence, as presented here, and go to the Apple store and discuss it with a manager. Do not take it up with employees, go directly to a manager.

If she doesn't get a satisfactory answer, then tell the manager she'll be sending an email to Steve Jobs. Then send the email.

 

[foidulus]

Separating admin and user accounts

General security practices usually dictate that you create a separate admin account and use that account only for administrative purposes(OS X makes this pretty easy, whenever you need an admin password it will allow you to type in both the user name and password). For your day to day uses create a separate account, making sure you have auto-login turned off. When Apple asks for the password, you give them the admin username and password.

If you are really paranoid you can go one step further you can encrypt your user accounts home directory with filevault which would make it impossible(theoretically) to get any information from the user account.

 

[FieryFurnace]

They probably wanted to check their own facebook and hers is set to auto login. There is absolutely no privacy or security when giving your computer over to apple service. If there's personal data on there, including photos, they'll probably see it. If there's music on there they'll probably copy it over to their library as well. Best thing to do is back up everything and install a fresh OS before bringing it in, or at least turn off auto login. And not using the same password for email / bank / facebook / whatever as the login password would be a good choice. I don't think there's anything that can be done in this case other than lesson learned. There isn't anything special about apple service people, they're still randoms that you're handing your data over to.

You make it sound as if doing those things is totally normal and nothing to get excited about.

As long as it is Apple doing that, it is ok then I guess...

p.s. I do know that some service people do that, but I expect some more professionalism from Apple for the money I pay for their products and AppleCare.

 

[California]

Girls are a magnet for rip offs and situations like this. Mechanics, computer techs etc. This is why I got on Mac Rumors so long ago, btw.

I would have taken the hard drive out before giving it to anyone, even repair people I know.

Apple is still a step up from the war stories I've heard about Geek Squad, tho, you will get satisfaction from an Apple store manager.

 

[zaphoyd]

Creating a new temporary admin account for apple is a good idea in cases like this.

 

[foidulus]

Creating a new temporary admin account for apple is a good idea in cases like this.

Yeah but the problem with a temporary account is that if your computer breaks, you cannot get into it to make a temporary account....

 

[xlii]

I would have your girl friend change all her passwords because someone at Apple now knows them and isn't afraid to use them. Have her change them before that person decides to have some more fun with your girl friends accounts.

 

[quasinormal]

Why worry about it? What harm has been caused?

 

[shoppy]

If any off my machines have to go in I just stick a blank stock HDD in.

 

[1rottenapple]

I usually erase my HD before getting it serviced by apple and reinstall the backup when I get it back. Honestly I would not expect my privacy to be respected by anyone working on my computer be it apple or best buy or what have you.

 

[hajime]

General security practices usually dictate that you create a separate admin account and use that account only for administrative purposes(OS X makes this pretty easy, whenever you need an admin password it will allow you to type in both the user name and password). For your day to day uses create a separate account, making sure you have auto-login turned off. When Apple asks for the password, you give them the admin username and password.

If somebody at Apple can gain access to the admin account, he/she has access to all the accounts on that computer. Isn't that true?

 

[Disc Golfer]

You make it sound as if doing those things is totally normal and nothing to get excited about.

While not exactly moral, it is totally normal. I don't know what candy coated marshmallow world you live in but taking precautions to protect oneself is usually a better option than getting "excited".

As long as it is Apple doing that, it is ok then I guess...

Just because I stated a fact that you'd prefer not to hear doesn't mean I'm justifying the behavior of service techs logging onto people's facebook accounts or otherwise accessing data. " "

p.s. I do know that some service people do that, but I expect some more professionalism from Apple for the money I pay for their products and AppleCare.

It is nice that you expect that.

 

[andyone]

Why worry about it? What harm has been caused?

Yeah, why worry about customer service snooping around on people's computers? Someone deserves to be fired for this. Plain and simple.

When Apple asks for the password

There is no reason for a customer service person to even log in to a user account, unless he is specifically asked to look at some software problem associated with the account.

 

[thecheda]

Manager

Go talk to the manager, they will probably give you something in compensation. But ALWAYS back your stuff up and delete any sensitive information. Don't trust anyone.

 

[dyn]

Yeah, why worry about customer service snooping around on people's computers? Someone deserves to be fired for this. Plain and simple.

When fixing any kind of computer you need to have access to it and be able to test whatever fix you apply. It's not a strange thing to log into a useraccount and test whatever you did to make sure the machine works properly. Customers will get angry if they find out the computer that has been fixed is in reality still broken. As no one is able to tell the other side of the story you shouldn't be pointing fingers like you're doing right now. That doesn't mean you should be trusting everyone completely, that would be very naive. Handing out your password you use for nearly everything is also the most naive and stupidest thing you could possibly do. In this case the customer contributed to the "snooping around". In your opinion this would boil down to something like "that user shouldn't be allowed to go near a computer for the next 50 years!". So, no, things aren't that plain and simple

Customer service shouldn't be snooping around and customers shouldn't be handing over their passwords.

There is no reason for a customer service person to even log in to a user account, unless he is specifically asked to look at some software problem associated with the account.

Yep, they need to be able to test if things work properly.

Having a fresh install of OS X before bringing it in is a very smart thing to do. They can't mess around with your data but they're still able to troubleshoot the machine. Unfortunately you can't always do this so disabling things like auto-login or simply not give them your password is a wise thing to do.

 

[macchiato2009]

is it safe to have my account set as an admin with a password

enable the guest account and disable auto login on my mac when giving it to an apple center?

can an apple tech access my computer account even without my password ?

do they have some kind of super-admin tools to do that ????

 

[Mactagonist]

Personally, when ever I have taken a machine in for service I have swapped the stock hard drive back in. Since I have replaced the hard drive within a few minutes of opening the package on my last three machines I have a few small apple branded 2.5" drives laying around.

Op: if you do have to email apple send it to Ron Johnson (ronj@apple.com iirc). He heads apple retail. Maybe cc Bruce Sewell their General Counsel as well.

 

[racer1441]

She is worried about her privacy but uses Facebook?

 

[Transporteur]

I'm just wondering how for gods sake you can give your personal computer to someone else (in this case even someone you certainly don't know), without at least protecting the user account with a password.

Here you have my diary for making a new leather cover, but please don't read in it...