9to5Mac reports on a widespread Apple ID security incident where users were locked out of accounts without explanation and forced to reset passwords, documenting impacts on privacy, account security, and digital service access. The coverage acknowledges multiple human rights implications—including arbitrary detention, privacy violations, and denial of digital economic and health services—through investigative reporting and amplification of user voices, though it does not propose systemic solutions or advocate for rights remedies.
Happened to me today. First got the message on my computer that my location was unknown and needed to enter a code from the phone. By the end of it, I had to reset my Apple password. No idea why it happened.
Not sure if it’s a valid data point or not. I manage 7 people’s Apple ID accounts. This has happened a few times including twice last night but only on the people who use the @icloud.com as their primary email address. Assume that is related to password guessing attacks. Both addresses are in public email leak databases.
Can only advise that you should have recovery contacts and a recovery key set up in case something goes wrong.
I'm using my own domain for e-mail, but obviously I need another e-mail for registrar, hoster, etc. I used to use gmail for that, but recently switched to icloud as I thought gmail is too dangerous with Google banning people around. Seems Apple's no better.
I have no idea how to untangle this dependency chain. I'm using registrar in my country, so if everything goes wrong, I can just contact them with my ID and hopefully fix things up, but I'd prefer to have 100% reliable e-mail in the first place.
The thing that scared me recently was two updates that gave me new encryption keys. At first I trusted apple and wrote down the new key. But I became suspicious after the second update and checked online. It seems like it's happening to others, so I used the recommended command-line tool to verify my new encryption key and it didn't verify. Apparently it works after disabling and enabling encryption, but
I'm just keeping it disabled for now.
To this day, I still get random "Enter your password to continue using iCloud" push notifications on my iPhone with no relevant action to trigger such a notification.
My Apple ID uses a unique password, I keep a recovery key, I don't have its login credentials saved anywhere, and it's a dev account; so I have my LLC's DUNS number attached to it. My devices are the only ones listed in my settings portal.
I have no idea why I get these notifications, lol.
Only tangentially related, but I have been trying to enroll for Apple's developer program for almost 3 months now.
Understanding what the problem is is essentially impossible. Going to a physical store doesn't help, calling their customer service has them telling you to go to www.apple.com/support (???), and writing for support has them rotate you through 4 different, and decreasingly useful, representatives.
The last response I got I was told the issue had to be handled by yet a different representative and it would take an "indefinite amount of time". Which may be a nice way of them saying it's never going to happen.
It really is demoralizing when you realize there is nothing you can do really, even in cases when you have done nothing wrong.
With risk of being spammy, this is probably the most relevant discussion I've seen so far on HN w.r.t my experience of being locked out from my Apple ID.
I hope legislation will force Apple to step up and be more transparent / helpful.
I can only imagine the uproar if this was happening to the users of any other company. But it's pretty muted here with a lot of consideration given for apple rather hostility. Nice to see.
could be somewhat related, last week I had a successful login for my Apple ID from a location I didn't recognise (somewhere in central asia).
I noticed because I got a prompt on my phone, which requested I allow (or disallow) the access.
Since I'm pretty good about password hygiene and security, I of course changed my password immediately and force-signed out all my devices.
That being said: if someone has a password list and is using a bot to scan them all; Apple will of course lock-out sign-in attempts.
Not to say what they're doing is right, there's better ways to handle it. But if I were to apply very recent anecdotal data to this even then this is a meaningful conclusion I could draw.
So i'm not the only one, huh. Got myself an iPhone, downloaded 2 apps, went to bed, woke up to a complete lockout. They unblocked me through a phone support request, after 18 hours, and then hit me with a fresh ban, not even 24 hours later. Account got permabanned after like 5 more calls, where they just started sending me a legal notice instead.
The fact that your device can become a complete brick, because of an issue in their completely hands-off account management system, smells like a class action suit
I was thinking about something related yesterday.
It is amazing how big "Internet Silos"
Google, Facebook, etc provide close to no
customer support services and that we "users" have
accepted this.
Getting cut off from one of these places can have a
huge impact on people.
They happen without warning and often without explanation.
I think they ought to be forced to be more open around
the process and how to get help in general.
For Apple I have usually managed to get a hold of some support.
Often not helpful but at least somebody.
With Google and Facebook I have never been able to find anyone.
Sameting that is demonstrated on this site frequently
when someone will post a plea for someone who knows people
at Google who they can't contact on their behalf.
Since they can't get hold of anyone themselves.
(Yes I am sure its covered in the EULA several times that
there is close to no support)
(For Google Workplace it is usually possible to get a hold of someone.)
I feel like these random behind the scenes issues happen a month or two before WWDC to give Apple the foundation they need to announce new services.
I had read Apple is switching the name AppleID to be Apple Account or something similar at WWDC. Me thinks they are quietly pushing code that somehow is causing this for people.
Maybe it’s an age of account issue or some other commonality.
I signed up for an at me account twenty years ago and still use that as my living and haven’t had issues. Maybe icloud.com users?
It happened to me last night! At that moment, I froze, thinking that somehow my password had leaked and someone was trying to brute-force my MFA. At the time, I was at a restaurant celebrating my son's birthday and couldn't change the password on my phone... So I just ignored it and when I got home, I changed the password on my MacBook without any trouble.
This morning, as a precaution, I changed all my important passwords.
Been locked for almost 3 months between November 2022 and January 2023.
Apple is crazy. My iPad with the authenticator broke, and even though I filled endless forms, verified emails and phone number they just keep sending me emails I was gonna be called by support at a date 3 weeks away.
Got no call, restarted the procedure. Got called in January, and it was an automatic voicemail or something..
I literally couldn't use my work machine (had a backup desktop to use).
Needless to say, except for the MBP I sadly need for work I'm not giving apple a dime for my life.
We need to get a legal advocacy group started for dealing with digital rights (EFF isn't getting it done with consumer rights). A couple of well-funded lawsuits on behalf of wronged users will fix this with all of the vendors. This kind of thing should never happen.
I understand why people enjoy Apple products, but I will never understand why people defend the company when we all know, often through direct personal experience or the experience of someone we know, that the wealthiest company is the world has chosen to provide insultingly miserable customer support as a business decision.
This makes me want to minimize my touchpoints with any of any cloud services of the hardware I purchase to ensure I can't be locked out of my life for 18-24 hours.
|
Some people have to take care of critical dependants. I don't exist and serve at the pleasure and convenience of any aspiring digital identity provider. I actually never wanted any of them to be my digital identity.
What's convenient may also be a bigger security gap and impact than many ppl realize.
The recent threads about PalmOS phones seem timely in hindsight. With Palm devices, you installed apps yourself with a sync cable to your computer, and there was no convenient app store, no one could lock you out of your smart phone and your life. Maybe that's an option that should come back. iTunes used to backup and sync just fine.
If there's no real acknowledgement or detailed coming out about this, it's very possible it's a cybersecurity incident of some kind that is serious enough. And it's not just an Apple thing. This has or will happen with every digital identity provider.
There's no one to really pick the phone or answer an email at google or apple when it comes to your digital identity that they want to be holders and providers of.. At least with the government there's a DMV or registry to go to.
The only thing you need to own is your primary email address and as long as that’s on a domain you own then you can move it. That’s about the only independence there is these days. If you use @icloud.com or @gmail.com for everything then you’re screwed.
You have to depend on someone somewhere. Just make that dependency less of an issue should anything show stopping happen.
Personally I’d like to see some legislation around identity providers and service levels and account retention.
This also spooked me. I’m a former security professional—there are few good reasons Apple should be doing this, and it smells of a targeted attack. If I had a zero-day exploit to steal your data, this is what it would look like.
In the other hand, if Apple suddenly found out that a good chunk of encrypted volumes weren’t actually encrypted / the key was recoverable by an offline attacker, this would also explain the facts.
But the lack of explanation from Apple is troubling.
I had similar issues, and I wish I could remember what solved it. It was something stupidly dumb like I had to log out and log back in on my phone or something. There have a couple of different edge case bugs that prevent people from signing up, and Apple customer support is useless on this.
I’d say your guess is right - the accounts typically get locked because hacking groups are running attacks on lists of email addresses.
The email addresses ending in @icloud.com are scraped from a master list and the attack is directed to apple, while the custom domains are ignored because there is work involved in figuring out where those are hosted.
iCloud lets the user generate secondary email addresses, it’s better to use that and keep the login email address secret.
i also did this: created an email address that i use exclusively on apple. it actually wasn’t hard at all.
zero issues since.
> The problem stems from nefarious groups getting a hold of email addresses and running distributed dictionary attacks.
years back my email was leaked by a website that i never visited. apparently someone signed up using my email address and the website never verified the email.
in the meantime more and more people used the same email address [0] to signup everywhere (it’s not the same person, i checked).
As long as you can change your Mx records, it doesn’t matter who is hosting your email. If Apple had a problem, you could switch it to any other provider and request the reset email again, etc.
Happened to me last night. I got a push notification on my watch that I needed to update my iCloud password. I thought that this isn't right, so I went to my phone and MacBook. Same thing, those devices said I needed to change my password. So I figured someone has my @iCloud email address and tried to login. I do have hardware keys setup, so wasn't terribly worried.
But none the less, I liked my old password and had to change to something else.
I bought an iPhone a couple of days ago, and was planning on using the weekend to finally migrate from my old Android phone. Luckily, I haven't even opened the box so I should be able to return it for a full refund. No way I'm spending over $1000 for this kind of experience.
> The fact that your device can become a complete brick, because of an issue in their completely hands-off account management system, smells like a class action suit
This is HN frontpage. It's on a big "Mac" website. The damage is done.
Many are going to write nonsense like: "Apple is still a $2 trillion company, so this obviously works for them" to which I'll respond with a simple question: Did it not work for Apple before these SNAFUs? Does it work better for Apple now, after fuck ups like that?
It's not normal behavior and they are losing customers over this.
We had an Apple "moment" in the family: around the 2012'ish MacBook Air era. Two at home and they worked fine, for about ten years. Then the battery issues, the keyboard issues, the trackpad issues. Eventually these MacBook Airs died a painful death.
I'm on Linux since the nineties (and, yup, I can get into my system with Apple or Microsoft forcing an online ID down my throat) but the Macs were convenient for the wife.
So we bought a MacBook Air M1. After 13 months or so the screen died alone, overnight: was working fine before closing the lid, was dead in the morning. There are threads with dozens of pages on that subject.
That's when I switched the wife to Ubuntu. Ubuntu, Linux Mint: she doesn't care. Heck, I probably could have her use Debian or Devuan (Debian without systemd).
Apple is done for us. It's over. We'll never ever buy a Mac again and I'll never ever recommend a Mac to anyone.
And I'm far from the only one thinking that way.
The damage is done.
Rationalize as much as you want, invoke AAPL's market cap as much as you want, and enjoy being locked out of of your devices without any recourse.
Don’t want to sound like I’m victim blaming the author. But I can tell you exactly the issue with their account: registering with an email on a self hosted .xyz domain. Using sketchy tld’s is just asking for this kind of trouble.
> Google, Facebook, etc provide close to no customer support services and that we "users" have accepted this.
This is why I've always rejected the concept of vendor "ecosystems" and cloud-first SaaS solutions for my personal computing. I've also designed my life so it's not dependent on having uninterrupted access to Facebook or Gmail.
Article exposes arbitrary account lockout without explanation or apparent due process, advocating for user rights through investigative coverage.
FW Ratio: 60%
Observable Facts
Article reports users being 'locked out of their Apple ID across all of their devices' without authorization.
Article states 'There doesn't appear to be any rhyme or reason as to why this is happening,' documenting lack of explanation.
Article notes Apple's official status page showed no issues despite widespread reports, indicating failure of communication.
Inferences
By exposing arbitrary account restrictions without warning or due process explanation, the article advocates for users' right to protection from arbitrary detention.
The documentation of unexplained digital lockout highlights violations of due process and supports awareness of this UDHR violation.
Article documents multiple privacy violations: forced password resets, cascade deletion of app-specific passwords, and security complications with Stolen Device Protection.
FW Ratio: 60%
Observable Facts
Article reports users are 'forced to reset their password before logging back in,' imposing involuntary privacy actions.
Article states 'if you reset your Apple ID password, any app-specific passwords you had previously set up via iCloud will be reset as well,' documenting cascade privacy violations.
Article mentions complications for users with 'Stolen Device Protection enabled,' showing secondary privacy/security vulnerabilities.
Inferences
By documenting forced password resets and automatic deletion of credentials, the article exposes violations of privacy and control over personal data.
The coverage of cascade effects on security tokens advocates for users' right to privacy and autonomy over digital credentials.
Article extensively amplifies user voices through direct quotes and links to multiple social media platforms (Mastodon, Twitter, Threads), advocating for user right to express concerns.
FW Ratio: 60%
Observable Facts
Article contains multiple embedded social media posts: 'I was mid FaceTime with @milesabovetech and my Apple account got locked,' 'Hey @AppleSupport all of my Apple products suddenly decided to lock me out,' and six additional user testimonials.
Article states 'A number of people on social media say that they were logged out' and links to 'Thread #1 on Mastodon, Thread #2 on Mastodon, Thread #3 on Mastodon,' plus Twitter threads showing direct user voices.
Article links to Michael Tsai's aggregation ('Michael Tsai's blog post') and 'Various responses on Twitter,' amplifying diverse user perspectives.
Inferences
By featuring extensive user-generated expressions, the article facilitates free expression and user agency in reporting their experiences.
The deliberate amplification of user voices across multiple platforms advocates for the right to freely express concerns about technology systems affecting them.
Article provides factual information about system vulnerability affecting users and seeks accountability from Apple, supporting right to information about systems affecting people.
FW Ratio: 60%
Observable Facts
Article provides detailed, factual reporting: 'Apple users are being locked out of their Apple IDs with no explanation.'
Article documents both internal observation ('A few of us here at 9to5Mac have also been directly affected') and external reports, providing evidence-based information.
Author states 'I've asked Apple for more information and will update if I hear anything back,' demonstrating accountability-seeking journalism.
Inferences
The article serves a critical function in providing public information about vulnerability in systems that affect millions of users.
By investigating and publishing the incident and seeking Apple comment, the coverage advocates for the right to information about technology systems affecting people's rights.
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 10:41:39 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.