Spark Says 'No Breach or Data Leak' After Users Get Locked Out of Apple IDs

[MacRumors]

Last night a few users began reporting that their Apple IDs had been compromised, causing them to be locked out of their accounts. Recovering and password resets worked for a handful of Apple IDs, but it was still unclear overnight what might have been happening to cause the small breach in Apple's otherwise secure universal log-in system.

This morning speculation came to a close as third-party email client Spark confirmed that an upgrade to faster servers for iCloud users on the platform triggered the issue and forced password resets in a collection of Apple IDs. The company mentioned that it has been preparing to launch Spark for Mac, which was the reason for the faster server upgrade, but now promises that "there's NO breach or data leak" that users have to worry about.

Readdle, the creators of Spark, reiterated what it tweeted out throughout the morning in a post on Reddit.

Hello guys,

Thank you for the feedback and comments! Our team has been investigating this for a few hours. What we know so far: 1. There's no breach or data leak according to our investigation. 2. The new, faster AWS server logic might have triggered iCloud security algos. We are already working with Apple to learn more details. We are doing some server side work to make Spark much faster, and to make it ready for the Mac version, which is already in Alpha. We will keep you updated once we have more news from Apple side.

Thank you.

As some users have noted, the security problem didn't hit all Spark users who use the service with their iCloud account. The company said that it's working with Apple to get the issue fixed as soon as possible, but it seems that users affected by the security lockouts need not worry about malicious attempts at entry into their private Apple ID at least. If Readdle posts any more updates on its fix for the problem, we'll update this story as well.

Article Link: Spark Says 'No Breach or Data Leak' After Users Get Locked Out of Apple IDs

 

[Thomasasz]

Happened to me as well. Password reset worked fine. Hope they keep our data safe...

 

[Shark5150]

Happened to me as well. Changed password and all is fine. Just inconvenient since it needs changing on all my devices.

 

[Telos101]

I had the same thing happen. Good to know it's nothing suspicious. Thanks, MR.

 

[ozthegweat]

Woke up to a locked account as well. Good to know it was a bug and that I'm not the target of an attack.

 

[robinp]

glad they are preparing a Mac app. It will make the slightly annoying experience of using a third party email app on iphone much more palatable if you can get the same features on the Mac as well.

 

[WordsmithMR]

I was super paranoid last night. Had no idea what could've triggered it. Thankfully this article clarified the issue.

 

[Dwalls90]

This was extremely frustrating. I changed passwords multiple times, and it wouldn't sync across - spent at least an hour before giving up, after being locked out from Apple cloud services all night.

 

[Ivan0310]

Glad to know no one was trying to compromise my Apple ID. Makes me feel a lot better having two-factor authentication enabled.

 

[einsteinbqat]

Happened to me, too. Called Apple Support yesterday, and they could not tell me. Now this clears it up!

 

[Max Portakabin]

Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.

 

[utwarreng]

Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.

They did.
https://www.reddit.com/r/apple/comm..._been_a_breach_of_apple_ids_something/d5d49y7

 

[l00pback]

Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.

If you are expecting an apology every time you're inconvenienced, you are going to be miserable. Just change your password, and move on with your life.

 

[coolfactor]

I'm confused. Does Spark impersonate the user and download messages on their behalf? So Spark's servers are storing Apple ID credentials? I don't see how a Spark server upgrade would interfere with Apple ID authentication unless they were "sitting in the middle" somehow, and there's no way that I would use such an app, if that were the case. I'll need to read up on the Spark Mail app a bit more.

 

[Rigby]

It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, since they still have to store your password on their servers in case the email provider doesn't offer secure authentication via oauth tokens (which iCloud doesn't). This affects not only Spark, but also the Outlook mail app. This time it was apparently harmless, next time it could be a serious breach. And two-factor doesn't really help in case of iCloud, since you have to use an application password which is not protected ...

 

[mrat93]

So I'm an idiot and reset my password when I was prompted yesterday while I was drunk and in the city. I forgot the password I used, but it was something I haven't used before. No chance I can remember it. I have a recovery key that isn't going through. I have access to all of my trusted devices though. Am I out of luck and need to get a new Apple ID?

 

[tennisproha]

Readdle is the most POS software company there is so not surprising.

 

[wwetech]

So I'm an idiot and reset my password when I was prompted yesterday while I was drunk and in the city. I forgot the password I used, but it was something I haven't used before. No chance I can remember it. I have a recovery key that isn't going through. I have access to all of my trusted devices though. Am I out of luck and need to get a new Apple ID?

No try recovery key again, it always works for me, it should work if it's the right key. Otherwise use a rescue email that I'm sure you made (because everyone does this, right? Lol). Other than that try answering security questions because everyone remembers these, right? Lol. If you have trusted devices with 2 factor authentication on you can use those to reset password. If because of some miracle all that doesn't work (which wouldn't be quite a miracle, somehow people still manage to not recover their password) contact Apple. They will help you. Have a good day.

 

[coolfactor]

It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, ...

Exactly. It raises so many questions.

• Since they are impersonating you, they need to keep your password stored, not a one-way hash of it. How securely are they storing it? Who has access to it at the company?
• How secure is the email storage on their servers? Do they have one giant database serving all users, and filter by ID, or separate, segregated databases for each user?
• Can technical problems at their end cause emails to be deleted unintentionally?

Email is far too important to me to introduce layers of complexity and uncertainty like that.

(@Runbox rocks for email, by the way.)

 

[Smileyboy]

That explains why my Apple ID was locked. But now I have security concerns about Spark...

 

[C DM]

Readdle is the most POS software company there is so not surprising.

That certainly explains why you think that.

 

[adrianlondon]

I'm confused. Does Spark impersonate the user and download messages on their behalf? So Spark's servers are storing Apple ID credentials? I don't see how a Spark server upgrade would interfere with Apple ID authentication unless they were "sitting in the middle" somehow, and there's no way that I would use such an app, if that were the case. I'll need to read up on the Spark Mail app a bit more.

Info is here:
https://readdle.com/blog/2015/06/how-we-handle-your-account-information-in-spark/

Basically, they need your user/password so they can poll for new emails on your behalf and send notifications. They go on to say if you disable notifications, user/password information will be removed from their servers.

 

[mrat93]

No try recovery key again, it always works for me, it should work if it's the right key. Otherwise use a rescue email that I'm sure you made (because everyone does this, right? Lol). Other than that try answering security questions because everyone remembers these, right? Lol. If you have trusted devices with 2 factor authentication on you can use those to reset password. If because of some miracle all that doesn't work (which wouldn't be quite a miracle, somehow people still manage to not recover their password) contact Apple. They will help you. Have a good day.

I figured out the issue. I emailed it to Apple, as I feel like this is an easily-made mistake.

When you click the option to generate a new recovery key, the above dialogue pops up. However, the new recovery key isn't active until you click Continue and type it in again. I didn't realize this when I generated a new key last month. This should be made more obvious. I'm glad I saved my old recovery key, otherwise I would not have been able to access my account, and I'd have to create a new account.

 

[Mactendo]

Whatever they say I'd run away from such service.

 

[Peepo]

I thought Spark was better vs. Outlook in regards to not being in the middle storing passwords etc. Now that I hear this, I have removed it. I have had my account locked out twice this week.

With 2 factor authentication on iCloud, there should be no way Spark could permanently hack your iCloud account since you have to generate a one time password for it. But I still don't like that it locks accounts. Maybe after everything is fixed I'll give it another try.