Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Spark Says 'No Breach or Data Leak' After Users Get Locked Out of Apple IDs
- Thread starter MacRumors
- Start date
- Sort by reaction score
Twice I was locked out in the past couple days. It might be time to ditch Spark. It's a major nuisance to change my Apple ID password because it affects a number of devices.
I deleted my account in the app before I deleted it yesterday. I couldn't find anything on iCloud.com to remove anything from it otherwise. I could in my Google account through under Gmail's account activity details page (it will still be logging into that if you don't revoke it directly).
My Apple ID has been fine today, thankfully.
My Apple ID has been fine today, thankfully.
Three for me. I won't touch their stuff again. If they can't be trusted with this, they surely cannot be trusted with being an email pass through service.
Seriously? You'd still consider using an application that stores your login credentials on remote servers with who knows has access to them? I can't comprehend the thought process for that.
I personally didn't think they stored them. I thought they just used my phone-stored password. Now that I know for a fact they store it off site, I'm much more upset.
It happened to me two days ago. Now one hour ago I was locked out again. I am staring to be concern.
"Accounts are added to Spark through OAuth where possible. Where OAuth is not supported we keep your account username and password on our secure servers. We then use the authorization provided to download your emails to our virtual servers and push to your device.
[...]
The safety and security of your information also depends on you. You should not share your email user name and password with anyone. If you find out that anyone has improperly obtained your login credentials and accesses your email account through Spark, you should immediately change your password. We are not responsible for such unauthorized access unless the access is our fault."
https://sparkmailapp.com/privacy
LOL. What a con. Apple should punt this app from the App Store.
That's horrendous. I thought I was OAuth. I did not see anywhere in the install process that I'd be giving them the right to my un/pw like that. I understood that they'd be doing a pass through and then sending it to the app, but I never thought I'd be my own MITM DDoS. :/
[doublepost=1468721265][/doublepost]This stuff needs to be revocable or Apple shouldn't allow it in the Store.
Outlook does this as far as I know, so does CloudMagic, and various other mail clients that provide push notifications for all kinds of accounts. Nothing new or strange there really.
Outlook has two differences between some arbitrary app developer. Firstly, you have to configure logging into external email accounts explicitly and optionally, and, secondly, outlook is owned by Microsoft. I don't trust Microsoft but I'd ethically trust an established company like them before an unknown quantity like sparkmailapp.com. I've no idea who Cloud Magic is so I don't know what they offer.
In my boat, for sparkmailapp.com, see Microsoft. I wouldn't give either my login details for Apple.
You seem awfully worked up. FWIW, Readdle is a reputable company. Also, the fact that you're expressing more trust in Microsoft and also haven't heard of CloudMagic, says a lot about you and how seriously to take your remarks.
It doesn't really change that this kind of thing has been fairly typical of various mail apps that provide push notifications for all kinds of mail accounts (in particular Gmail that many people want to have push notifications for, since those aren't natively supported by Apple's native mail app). So while different people might feel differently about it all, it's still not anything new or strange.
Well, the part about it affecting things with Apple and iCloud, that's certainly new and strange, and shouldn't be happening.
Honestly, I just thought that if there was a data breach for a third-party like this, I'd just pull the permission within iCloud. I'm embarrassed to find that there's no mechanism for that. I'd been lulled to assuming everyone did it, like google, fb, twitter, dropbox... Silly me. I wasn't expecting them to host my irrevocable password, nor did I think that this would be the outcome. I actually assumed that if they borked something, I'd have more control.
I'm sure Readdle is in deep poo on this one, but I am done with them. I wish them all the luck going forward, because they will need it. I'm going to go back to trying to get Push to work on my phone. The only reason I switched was because Push worked on Spark when it didn't on the Apple mail app. C'est la vie.
Oh my. That is horrifically scary. For starters, giving your password to another party is not a good idea, and now, if US lawmakers have their way, illegal. Last I checked my Mail.app, it was capable of notifying me when I got new mail. There is so much left unanswered in that blog post that I am genuinely scared for all the people who use this password harvest ... I mean, email service.
This hack should be a wake up call for those who are careless with their Email login credentials. Bad things will happen when they are in the hands of bad people who can permanently lock you out of your email. The ramifications shouldn't be underestimated.