Become a MacRumors Supporter for $25/year with no ads, private forums, and more!
  • Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,403
14,103



Last night a few users began reporting that their Apple IDs had been compromised, causing them to be locked out of their accounts. Recovering and password resets worked for a handful of Apple IDs, but it was still unclear overnight what might have been happening to cause the small breach in Apple's otherwise secure universal log-in system.

This morning speculation came to a close as third-party email client Spark confirmed that an upgrade to faster servers for iCloud users on the platform triggered the issue and forced password resets in a collection of Apple IDs. The company mentioned that it has been preparing to launch Spark for Mac, which was the reason for the faster server upgrade, but now promises that "there's NO breach or data leak" that users have to worry about.

spark-mail-picture-800x419.jpg

Readdle, the creators of Spark, reiterated what it tweeted out throughout the morning in a post on Reddit.
Hello guys,

Thank you for the feedback and comments! Our team has been investigating this for a few hours. What we know so far: 1. There's no breach or data leak according to our investigation. 2. The new, faster AWS server logic might have triggered iCloud security algos. We are already working with Apple to learn more details. We are doing some server side work to make Spark much faster, and to make it ready for the Mac version, which is already in Alpha. We will keep you updated once we have more news from Apple side.

Thank you.
As some users have noted, the security problem didn't hit all Spark users who use the service with their iCloud account. The company said that it's working with Apple to get the issue fixed as soon as possible, but it seems that users affected by the security lockouts need not worry about malicious attempts at entry into their private Apple ID at least. If Readdle posts any more updates on its fix for the problem, we'll update this story as well.

Article Link: Spark Says 'No Breach or Data Leak' After Users Get Locked Out of Apple IDs
 

robinp

macrumors 6502a
Feb 1, 2008
619
1,137
glad they are preparing a Mac app. It will make the slightly annoying experience of using a third party email app on iphone much more palatable if you can get the same features on the Mac as well.
 
  • Like
Reactions: drumcat
Comment

WordsmithMR

macrumors 6502
Mar 17, 2015
368
456
Murica
I was super paranoid last night. Had no idea what could've triggered it. Thankfully this article clarified the issue.
 
  • Like
Reactions: drumcat
Comment

Dwalls90

Contributor
Feb 5, 2009
5,045
3,222
This was extremely frustrating. I changed passwords multiple times, and it wouldn't sync across - spent at least an hour before giving up, after being locked out from Apple cloud services all night.
 
Comment

l00pback

macrumors regular
May 28, 2010
134
131
Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.
If you are expecting an apology every time you're inconvenienced, you are going to be miserable. Just change your password, and move on with your life.
 
  • Like
Reactions: willmtaylor
Comment

coolfactor

macrumors 603
Jul 29, 2002
5,000
5,422
Vancouver, BC
I'm confused. Does Spark impersonate the user and download messages on their behalf? So Spark's servers are storing Apple ID credentials? I don't see how a Spark server upgrade would interfere with Apple ID authentication unless they were "sitting in the middle" somehow, and there's no way that I would use such an app, if that were the case. I'll need to read up on the Spark Mail app a bit more.
 
Comment

Rigby

macrumors 603
Aug 5, 2008
5,561
9,253
San Jose, CA
It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, since they still have to store your password on their servers in case the email provider doesn't offer secure authentication via oauth tokens (which iCloud doesn't). This affects not only Spark, but also the Outlook mail app. This time it was apparently harmless, next time it could be a serious breach. And two-factor doesn't really help in case of iCloud, since you have to use an application password which is not protected ...
 
Comment

mrat93

macrumors 68000
Dec 30, 2006
1,594
280
So I'm an idiot and reset my password when I was prompted yesterday while I was drunk and in the city. I forgot the password I used, but it was something I haven't used before. No chance I can remember it. I have a recovery key that isn't going through. I have access to all of my trusted devices though. Am I out of luck and need to get a new Apple ID?
 
  • Like
Reactions: wwetech
Comment

wwetech

macrumors member
Jul 15, 2008
41
29
So I'm an idiot and reset my password when I was prompted yesterday while I was drunk and in the city. I forgot the password I used, but it was something I haven't used before. No chance I can remember it. I have a recovery key that isn't going through. I have access to all of my trusted devices though. Am I out of luck and need to get a new Apple ID?

No try recovery key again, it always works for me, it should work if it's the right key. Otherwise use a rescue email that I'm sure you made (because everyone does this, right? Lol). Other than that try answering security questions because everyone remembers these, right? Lol. If you have trusted devices with 2 factor authentication on you can use those to reset password. If because of some miracle all that doesn't work (which wouldn't be quite a miracle, somehow people still manage to not recover their password) contact Apple. They will help you. Have a good day.
 
Comment

coolfactor

macrumors 603
Jul 29, 2002
5,000
5,422
Vancouver, BC
It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, ...

Exactly. It raises so many questions.
  • Since they are impersonating you, they need to keep your password stored, not a one-way hash of it. How securely are they storing it? Who has access to it at the company?
  • How secure is the email storage on their servers? Do they have one giant database serving all users, and filter by ID, or separate, segregated databases for each user?
  • Can technical problems at their end cause emails to be deleted unintentionally?
Email is far too important to me to introduce layers of complexity and uncertainty like that.

(@Runbox rocks for email, by the way.)
 
Comment

adrianlondon

macrumors 68040
Nov 28, 2013
3,006
3,168
Switzerland
I'm confused. Does Spark impersonate the user and download messages on their behalf? So Spark's servers are storing Apple ID credentials? I don't see how a Spark server upgrade would interfere with Apple ID authentication unless they were "sitting in the middle" somehow, and there's no way that I would use such an app, if that were the case. I'll need to read up on the Spark Mail app a bit more.
Info is here:
https://readdle.com/blog/2015/06/how-we-handle-your-account-information-in-spark/

Basically, they need your user/password so they can poll for new emails on your behalf and send notifications. They go on to say if you disable notifications, user/password information will be removed from their servers.
 
Comment

mrat93

macrumors 68000
Dec 30, 2006
1,594
280
No try recovery key again, it always works for me, it should work if it's the right key. Otherwise use a rescue email that I'm sure you made (because everyone does this, right? Lol). Other than that try answering security questions because everyone remembers these, right? Lol. If you have trusted devices with 2 factor authentication on you can use those to reset password. If because of some miracle all that doesn't work (which wouldn't be quite a miracle, somehow people still manage to not recover their password) contact Apple. They will help you. Have a good day.

I figured out the issue. I emailed it to Apple, as I feel like this is an easily-made mistake.

Screen Shot 2016-07-15 at 1.44.56 PM.png


When you click the option to generate a new recovery key, the above dialogue pops up. However, the new recovery key isn't active until you click Continue and type it in again. I didn't realize this when I generated a new key last month. This should be made more obvious. I'm glad I saved my old recovery key, otherwise I would not have been able to access my account, and I'd have to create a new account.
 
Comment

Peepo

macrumors 65816
Jun 18, 2009
1,078
520
I thought Spark was better vs. Outlook in regards to not being in the middle storing passwords etc. Now that I hear this, I have removed it. I have had my account locked out twice this week.

With 2 factor authentication on iCloud, there should be no way Spark could permanently hack your iCloud account since you have to generate a one time password for it. But I still don't like that it locks accounts. Maybe after everything is fixed I'll give it another try.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.