The fact that your device can become a complete brick, because of an issue in their completely hands-off account management system, smells like a class action suit

This is HN frontpage. It's on a big "Mac" website. The damage is done.

Many are going to write nonsense like: "Apple is still a $2 trillion company, so this obviously works for them" to which I'll respond with a simple question: Did it not work for Apple before these SNAFUs? Does it work better for Apple now, after fuck ups like that?

It's not normal behavior and they are losing customers over this.

We had an Apple "moment" in the family: around the 2012'ish MacBook Air era. Two at home and they worked fine, for about ten years. Then the battery issues, the keyboard issues, the trackpad issues. Eventually these MacBook Airs died a painful death.

I'm on Linux since the nineties (and, yup, I can get into my system with Apple or Microsoft forcing an online ID down my throat) but the Macs were convenient for the wife.

So we bought a MacBook Air M1. After 13 months or so the screen died alone, overnight: was working fine before closing the lid, was dead in the morning. There are threads with dozens of pages on that subject.

That's when I switched the wife to Ubuntu. Ubuntu, Linux Mint: she doesn't care. Heck, I probably could have her use Debian or Devuan (Debian without systemd).

Apple is done for us. It's over. We'll never ever buy a Mac again and I'll never ever recommend a Mac to anyone.

And I'm far from the only one thinking that way.

The damage is done.

Rationalize as much as you want, invoke AAPL's market cap as much as you want, and enjoy being locked out of of your devices without any recourse.

The only difference I've seen between Apple and my previous laptop brands is that their support techs are useful.

I haven't bought one myself simply because I have my own units that still work 10-15 years later. The screens mean they're dreadful as actual hands-on laptop experiences, but they're perfectly fine for home servers with built-in battery backup and management console.

Ditto HP. Their machines are… not great to operate on (from a maintenance perspective), their hardware maintenance manuals are much lower quality than they used to be…

Only dell latitude hasn’t disappointed me yet, and I fix laptops as a hobby so I’ve worked on quite a few 2014-2019 machines.

My HP hybrid tablet, now over 15 years old, still works (when plugged in).

My dad's IBM Thinkpad, older than most people currently on this website, still works.

Apple people like to claim that Apples last longer than their competitors, but that simply isn't true. Most people, myself included, can't tell you what Dell or HP support is like because we've never had to use them. But every Apple user knows what Apple support is like, because every Apple user has had to use them.

I've also used top of the line Dell laptops over the years and a Lenovo Yoga.

Way way back I used to have a desktop color Macintosh of some sort (I forget the model, a 68k, maybe IIci ?) and as PCs were getting tossed in the landfill for years while the Mac kept going and running most new software.

I just bought my daughter a laptop and decided to go with the MacBook Air m2. Great value for money IMO. Not sure what's even close in terms of performance, build quality, battery life etc. This should easily last 10 years.

And macOS software support is awful. It's completely random and up to the whims of Apple with some models getting only 6 or 7 years support if you bought at launch.

Speaking for myself, I'd rather have the plastic Thinkpad. Lenovo commits well to the OS I use (Linux) and I don't want to baby around a laptop that threatens to bankrupt me if I drop it on the Starbucks tile. In terms of longevity, I can do a hell of a lot more with a 10 year old Thinkpad than I can with a 10 year old Mac.

> Not sure what's even close in terms of performance, build quality, battery life etc. This should easily last 10 years.

Recently picked up a Lenovo Thinkbook with a Ryzen 5800u in it. Basically a Steam Deck in sheep's clothing, with a nice HDR 1440p display. I gave it to my brother, and I expect it to last just as long (if not further with community driver support).

Not sure about drop resistance or cost of repairs. I've dropped MBPs and they were fine (anecdotal) and the MBP I'm using was literally hit by a car and was slightly bent as a result and still works.

The battery life of the air is supposedly 18 hours and having no fan is also nice. No laptop I previously used compares with my work MBP m3 for battery life or performance. The air weighs 2.7 lb. I don't know which specific Lenovo you got at but the Thinkbook 14 weighs 3.3lb.

That said, I did pick a 13" Lenovo Intel i7 about 5 years ago when I was looking for a laptop for my other daughter. That laptop is still going strong. It did die about a year after I bought it but was repaired under warranty (still a quality question though). But I think today Apple has pulled ahead and the prices on the m2 these days are good.

I've never had a good experience with Linux on laptops. The hardware support always seemed iffy. Power management also iffy. But I have to admit I haven't tried in a long while.

That HP hybrid? That was my laptop in law school. It still works, and it's great for drawing (though not as good as my Surface).

Their CPU fans fall apart. They tend to overheat. The hinge breaks- plastic. The display and audio quality is worse.

Apple laptops circa that era were notorious for heat issues, weak plastic, and poor displays. Their sound quality wasn't much better than a cheap PC laptop, unless you shelled out for a top-of-the line MBP..and of course a $2500+ laptop is going to be better than a $500 laptop.

Software support also sucks. At some point newer versions of Windows just don't have good support, the webcam from example doesn't work in modern Windows.

This is objectively false. I can still run software, and use hardware, from the 80s on my Windows 11 desktop. You can't even run 5-year old software on an Apple because Apple broke compatibility.

while the Mac kept going and running most new software.

This is objectively false. Older Macs can't runner new Apple OS software.

My web cam on the T410 doesn't work under the Windows version it's running and hasn't worked for many years (and I've had a few of those, it's not just one bad hardware).

EDIT: The variability of hardware on Windows laptops is just so much larger. There's so many different motherboards, so many different peripherals, so many different GPUs. There's no way Microsoft is testing against all permutations of laptops from more than 10 years ago with their native drivers. Lenovo doesn't have modern drivers for the T410 either and I doubt other laptop companies release new drivers for their old laptops. I've owned and used for work many Windows laptops from various vendors. I've had 3 T410s I inherited and I spent a lot of time trying to keep them going including cannibalizing some of them for parts.

The T410 works in Windows 11, so if it's not working for you, it's a simple driver update.

But on the note of Apple just working, there is an entire frontpage thread about how Apple isn't "just working" for thousands of people whose Apple IDs have been locked out. And The Verge currently has a front-page post about their Apple editor discovering that Apple doesn't just work and in fact has quite piss-poor speakers (https://www.theverge.com/24139303/mac-mini-laptops-desktops).

Yeah, I saw the Apple ID thread today. I thought Apple ID was optional. (e.g. I don't have an Apple ID for the MBP I'm using right now).

The article you linked to says: "My M2 Air had great speakers." It's the Mac Mini (not a laptop) that has poor speakers. Can't comment on that one.

EDIT: A by the way there is that I believe a T410 can actually have different components, i.e. some might have a camera from one vendor while others have a camera from another.

The only time I’ve had to use support is when I’ve broken an iPhone screen to have it replaced.

I have never contacted Apple support. Not once. Yes, really.

Unfounded claims are unfounded.

Sometimes devices break, sometimes they last for 20 years and keep on humming.

Also for the record, I'm also a Linux, Windows, and FreeBSD user running on HP, Dell, Lenovo, SuperMicro, Framework, System76 and DIY machines.

My experience indicates premium components usually (but not always) last longer than more economical alternatives.

That said, if I never had to use a Microsoft product again, I'd be fine with that.

That is such an absurd statement. You’re even italicising “every” (twice!) as if you’re really convinced it is true.

Hate is severely blinding you to reason. They’re just consumer electronics brands, they’re not eating your children. Calm down and think for a moment about your assertion. Maybe talk to some people outside of your circle.

Surface people, HP people, or Thinkpad people have all had to contact support at times as well. Is it more or is it less than Apple, is the question (and isn’t answered)

I have used lots of HPs, Dells, Lenovos. They do last, until they don't and you have to reinstall everything from scratch because the hardware is different.

I did run mine pretty hard, and my HPs, Lenovos and Dells did go into warranty pretty regularly. I never saw it as purchasing a laptop as much as purchasing the guarantee of a laptop.

Apple got me because it would reasonably copy one laptop onto the next.

Apple used to make their devices to be too thin, and they could not thermally handle themselves. Especially 2017-2019 Macbook pros. Before then, most were pretty reliable. Hoping the new ones are.

As for laptops I guess you are joking, I've yet to meet a single big corporation in Europe where macbooks are even allowed on premises, unless its some web app testing team or similar.

Some folks live in great echo chambers, I agree this site is a massive one for Apple. That's a simple fact, comments here confirm this. Which is fine on its own, but its not balanced truth you often find here.

Of course, I do sync my entire photo library with both Google (preserves the Livephotos) and Amazon (does not preserve livephotos), because I once lost an entire photo library due to a fuckup combined with an Apple bug. And I use non-Apple services for music and video.

Maybe just don't put all your eggs in one basket to the extent you can.

Apple's whole premium marketing shtick feels gone. Not only has the halo-effect worn off now that everyone owns an iPhone, but they're portioning up their own operating system to endless service integration and nonsense software offerings. Who the hell is paying for Apple Arcade? What about Apple Music Voice? Does anyone still pay for Apple Fitness+ without having forgot to unsubscribe? The whole thing reeks of Microsoft trying to market Groove Music and Onedrive to an audience of confused senior citizens and barely-literate pre-teen gamers.

Their hardware revenue is threatened, their software revenue is headed towards the toilet, and their latest product category is a non-starter. If you aren't preparing to see the worst of what Apple is capable of, I advise you get ready (and perhaps an alternative smartphone you feel comfortable using).

But again, I am a Linux fan (NixOS actually), despite it sucking ass in the user department

On my return everything went smoothly through my laptop. Scary though.

My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

Data is easier to protect by offline and online back-ups, but your online identity is hard.

My conclusion: Eliminate what little remaining usages of their services I have.

Doing that with iCloud and Google would be a colossal pain. This event has me thinking more seriously about self-hosting a few more things.

Well, if you used Google 2FA, the Authy app exists, and allows you to securely store 2FA in the cloud (as long as you remember your Authy credentials).

If you don't, then yes, your physical phone essentially becomes a dongle and if you lose it, you're screwed. Perhaps they don't educate users enough about this, but that's the fact

This. I never used the Apple's Cloud offerings to backup things - and I stopped using any Apple devices since the BatteryGate. I semi-degooglify my Android(s), and never use the "Google-*" (contacts, calendar, etc.). I block them with NoRoot Firewall and disable them, and use other apps for those services. I sync with my Oulook (2013) and my backup is with Carbonite. I do have to jump through a couple of hoops, but considering that I don't live under the threat of 'death' by Apple or Google to hold me hostage with my data/etc, the little effort is well worth it.

I try not to, but every year I log in and check and there is data stored in their cloud that I specifically tried not to have stored there.

For Google/Apple/etc., I'm either not paying them at all (in which case they have very little incentive to help me off someone goes wrong), or I am, but for a basket of services. The identity portion of those services is probably not what that company is focusing on providing, and any weirdness with any other service in that basket could cause me to lose my access to the identity bits, often without recourse.

And keep in mind that being a domain name registrar is a low margin business (typically they're only grossing a few bucks per domain per year, before accounting for any other expenses like staffing and systems), so you're not gonna get great support.

(My Google account is dead even though I have the username, password and recovery email which forwards to me since I don't have the phone number)

I believe they are advocating for minimizing risk by not deeply integrating with capricious cloud providers.

Losing your entire online identity because you didn’t pay on time is an absolute show stopper for an enormous number of people.

Most people are not tech people. They do not know or car, or even care to know, about the details and importance of maintaining and protecting an online identity. They won’t remember to update payment details until things start failing. They won’t check their email frequently enough to notice before this happens. They will ignore text messages, either assuming they’re scams, spam, or unimportant.

People also have a mobile phone number with a plan they have to pay for. I don’t see why a domain should be any different, and it isn’t actually that different in my country.

The biggest impediment is probably that most people aren’t willing to pay (say) $10 per month for a domain and email hosting like they do for streaming services, because they’re used to email being free. So they remain at the mercy of the big providers.

But I can at least encourage the HN crowd here to move to independent services and to use their own domain.

(And to be fair to apple here - they didn’t do anything wrong here, strong end-to-end security inherently means allowing these states. Otherwise the cops could order apple to unlock it too, and apple wouldn’t have a moral ground to object if they’re regularly performing the task in other circumstances. Otherwise people could social-engineer apple support to unlock a stolen device, or their partners. To a certain mindset, google and apple not having any real support is a strength because there’s no way to social-engineer your way past the actual security. But people want both the idea of E2E security and the convenience of being able to remotely un-register a laptop from someone else's account...)

Anyway, that failure mode wouldn’t exist if they were logged in to their account, and e2e encryption makes that a very low-risk thing overall.

Apple can’t see where to it devices are anyway, without doing a song-and-dance to authorize the session on a pre-authed device. Airtags and iphones have a rolling hardware identifier for bluetooth and wifi based on a cryptographically strong pseudorandom sequence, and apple can't correlate the identifiers back to an actual device without a pre-authed device relaying the sequence from your account. Etc etc.

Apple have actually done the legwork to make sure they can't see anything (or be forced to reveal anything) if you don't want them to (by enabling E2E), and that actually does drive a lot of "user-unfriendly decisions". And sure, android people will say "that's awfully convenient", but, the end state is still a lot stronger than any other major offering regardless of why you think they're doing it.

This was in 2008, so the software ecosystem lock-in strategy was already well-established back then.

Storing them seems problematic, but it really isn't: They're just random-looking 8-digit numbers and nobody but you needs to know that they belong to your Google account.

Or, KISS. If you're happy with the idea that the SIM card controls the key to the castle, as it seems that you are, then: Put a backup code in a contact in your SIM card. (It is kind of a lost art these days, but SIM cards are still data storage devices here in 2024.)

[1]: https://support.google.com/accounts/answer/1187538?hl=en&co=...

Did you have 2fa enabled by any chance? I have 2fa via TOTP on my accounts and while they offer using a signed in phone as a verification option, using TOTP was always an option, and I was never locked out of my account.

>Despite having the original sim in the new phone.

That would only help if google had some way of tying the installed sim to your account. Given the privacy implications and the technical difficulties, I wouldn't be outraged at the fact it didn't take your sim into consideration.

2. Save those backup codes.

3. Be able to get those backup codes in some worst case scenario.

I have had to start from scratch before but never have been locked out.

The fact that we are stuck with a pair of global apathetic undemocratic identity providers is absurd. And one of the reasons why that "shattered dream of passkeys" is on the front page. At least that dream got shattered, it would be worse if it went through.

And then say, Meta decides to ask for login verification on your other device, and you lose that account because you always logged to it through a browswer in private mode, so no device actually has an active session. Happened to my wife the other day.

IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much, and not even a guarantee of safety anyway, as next week Google or Amazon will hit you with some next weird trap to keep you "sekhure".

Maybe the companies can't win, but they also have themselves to blame. They shouldn't have convinced people to entrust their only copies of data with them. Your vacation photos should not depend on someone's cloud platform. Half of your entire offline life shouldn't depend on Google not randomly locking you out of GMail. But here we are, and I'll keep calling those "security updates" bullshit because they don't care about long tail, and they don't care about hazards they create for most of their users.

I abandoned my facebook account when they asked for my driver's license scan, a few weeks later suddenly they didn't need it after all. My BIL recently wanted me to check sout omething he had setup on facebook and I found I could "login" by clicking one of the "what are people doing" spam emails they send. I've never used it on this PC before and have no idea what the password even is anymore. Super secure.

Unless you explicitly logged out, they likely to see the opposite picture, i.e. numerous "valid" sessions (as opposed to active) that haven't been used for varying lengths of time because you logged in, but from their perspective, you never logged out. You just cleared your cookies which means the session is still "valid", even if it's inaccessible to you because the session cookies have been cleared from your device.

I don't know if they take any of this into account but as you've pointed out, assuming that the rightful owner of the account must have access to a different session is a huge assumption to make.

Why do you need more than a single phone plus a hardcopy of your Google recovery codes (assuming you know your Google account password)?

Because, as I can tell from a similar experience to GP's, they also won't save you if the authentication infrastructure decides you're not who you say you are.

- I have my recovery codes

- I have access to my recovery email address

- I have access to a TOTP token

I would hope this is sufficient to persuade Google's authentication infrastructure to let me in.

Society was collectively sold this deal where if you entrust everything to a trillion-dollar company, you'll be treated well and this sort of thing wouldn't happen. Yet it appears to be happening, and the trillion-dollar company that has the resources to deal with this so far isn't being very helpful, and it's falling to the consumer to take insane amounts of proactive measures to not have their digital lives fucked up when the exact deal was that you wouldn't have to, but of course now the party line will be "well you were obviously stupid to believe the trillion-dollar company's trillion-dollar marketing, then."

And I'm annoyed as one of the people who did not buy into it.

An Apple or Google account is far too important to people's lives to let them hide behind the "we're a private company and can do whatever we want" canard. They do need to have the right to ban spammers or people using YouTube or Drive to infringe copyrights but just randomly shutting off somebody's email or somebody's ability to make video calls should be against the law. The same would also apply to a text chat company like Slack or Discord banning somebody's work account for no reason. Certain tech companies have government-like levels of power over people's lives so they need to be restricted in how they can treat users like the government is restricted in how it can treat citizens.

Some people use iCloud for email, calendar and storage so for them I imagine losing access to Apple ID would be just as bad.

But even the more permissive laws have many exceptions, like not applying to perishable goods, underwear, lipstick, etc. and it's heavily tilted for unused products or very light us that doesn't affect the value of the product when re-sold.

When the product doesn't work like in the case of this Apple situation, it's not even a question. As long as the hardware is not damaged and everything is return, "the law" completely sides with the consumer.

Likelihood should affect your behavior in the same way it affects whether it actually happens and it did.

"Fool me once..."

That's similar to the odds of dying in a non-Boeing plane ride. Even if the odds were one in a million, that's about the odds of being struck by lightning over a lifetime.

I'd think someone returning a phone over this was regretting the switch for other reasons. It's fine to keep using Android.

- unauthorized access related to the lockouts and support requests you already described

- unauthorized activity related to something else you didn’t mention (even if unfounded)

- some other unrelated but specific violation of TOS or other cited rules (even if unfounded)

- zero additional information, perhaps reiterating some previous finding (even if unfounded)

I’m giving you the benefit of the doubt, but I agree with another commenter that it sounds like something is missing from your story. Details like these might help us understand how your experience fits the pattern of accounts in the article.

They didn't tell me what was wrong, as supposedly the support is not allowed to disclose that. All they were repeating is that after a confirmation of which account it is, they will put in an unblock request. It's supposed to send you either a confirmation (which i got the first time), or a denial message. I never got a single one of the latter. A few calls later, the system prohibited putting any new requests in, with no option to override, "supposedly".

I'm not sure if you've ever worked in tech, but a good early takeaway is that billions of dollars does not necessarily buy billion-dollar code.

This is bizarre and fucked up even from Apple's standard. Did you get to know anything about it - what happened? Did those legal notices seem to be automated? Any inkling what could have triggered it (False alarm? And Apple is known to hide its incompetence in this manners)?

I am wondering if your account was collateral damage of an automated system detecting misbehavior of the apps.

A real way to hit these kinds of companies selling defective products is to coordinate simultaneous small claims courts cases around the world.

After filling out an online form you receive in a year or so, then waiting another three, you'll get a check in the mail for $2. Justice! Hooray!

The only people class action lawsuits benefit are the lawyers.

J/K. But since it's Apple, nothing is far off.

Getting cut off from one of these places can have a huge impact on people. They happen without warning and often without explanation.

I think they ought to be forced to be more open around the process and how to get help in general.

For Apple I have usually managed to get a hold of some support. Often not helpful but at least somebody.

With Google and Facebook I have never been able to find anyone.

Sameting that is demonstrated on this site frequently when someone will post a plea for someone who knows people at Google who they can't contact on their behalf. Since they can't get hold of anyone themselves.

(Yes I am sure its covered in the EULA several times that there is close to no support)

(For Google Workplace it is usually possible to get a hold of someone.)

This is why I've always rejected the concept of vendor "ecosystems" and cloud-first SaaS solutions for my personal computing. I've also designed my life so it's not dependent on having uninterrupted access to Facebook or Gmail.

That's because you aren't the "customer", you're the product. The people paying the bills for Google and Facebook are the actual customers.

With Apple it's supposed to work differently - the user is the customer.

Google, not so much. I've yet to find someone to unlock my Google account, even though I've slowly been working my way through their phone and email directory. [it seems everyone has access to the internal phone/email directory? and people sure want to hand you off to someone else to fix your problem..]

Recently when setting up GrapheneOS (android OS distro), my login to google play services was delayed by 24 hours for 'security concerns', after authenticating via youtube app. (Try to go OSS? Here's a 24 hour ban).

It's funny because the forced youtube app authentication itself is not a security measure, it's a dark pattern to force the youtube app to be installed and opened. Logging in by phone or email quietly doesn't work anymore, the SSO messages never reach their destination. I find it hard to believe that this is not representative of google's perverse incentives.

Consistently disgusting, rapacious company.

Apple is crazy. My iPad with the authenticator broke, and even though I filled endless forms, verified emails and phone number they just keep sending me emails I was gonna be called by support at a date 3 weeks away.

Got no call, restarted the procedure. Got called in January, and it was an automatic voicemail or something..

I literally couldn't use my work machine (had a backup desktop to use).

Needless to say, except for the MBP I sadly need for work I'm not giving apple a dime for my life.

My experience, on the phone and via Message, has been uniformly garbage for years.

It used to be that you could go to the Apple Store and the "Geniuses" or their management would make it right.

What the hell happened??

I admit I had to interface twice in my life with apple support (this was the second).

But the first my iPod stopped working, and they just mailed me a new one without even asking a question or taking back the broken one.

In the other hand, if Apple suddenly found out that a good chunk of encrypted volumes weren’t actually encrypted / the key was recoverable by an offline attacker, this would also explain the facts.

But the lack of explanation from Apple is troubling.

And what command line tool are you referencing?

Afterwards I wondered if it was just storing the recovery key I already had in iCloud or if it had generated a new recovery key and my saved one was invalid.

I checked my recovery key ("sudo fdesetup validaterecovery") and it was no longer valid. A bit of Googling failed to turn up a way to get a copy of the recovery key that was in iCloud, and I decided I'd rather have a recovery key I store myself in case I need to recover when I cannot get online so I switched it back.

Switching back is easy. You just turn off FileVault, then turn it back on and choose to manage the new recovery key yourself.

Understanding what the problem is is essentially impossible. Going to a physical store doesn't help, calling their customer service has them telling you to go to www.apple.com/support (???), and writing for support has them rotate you through 4 different, and decreasingly useful, representatives.

The last response I got I was told the issue had to be handled by yet a different representative and it would take an "indefinite amount of time". Which may be a nice way of them saying it's never going to happen.

It really is demoralizing when you realize there is nothing you can do really, even in cases when you have done nothing wrong.

Not impressed to say the least.

We gave up and re-built it as a web app. The thing that convinced me was the realization: When was the last time you installed/used a non-game App on the app store that, by your assessment, has less than 1 million users? I looked down my list of installed apps and realized that indie apps are kinda dead anyway. And our web app has been pretty successful.

I gave up in the end. But I will have to sort it out before I can release the Mac version of my current project.

The DUNS stuff was pretty funny. All flows related to getting an ID have a big "Are you doing Apple dev stuff?" button. It's like Apple outsourced support to them. Apple's DUNS lookup tool saw my business and the correct DUNS number, but trying to register with it got an error...eventually dissipated after a couple weeks. Same story for registering an account in the first place: it refused to register [email protected], where tld is a Google Workspace account, with no discernable error. Again, dissipated after 3 weeks, thankfully.

> got my Macbook Pro from work and signed in to my Apple ID on it.

Wouldn't this result in unintentional data sharing from the work device to your personal devices? (and vice versa)

As an Apple noob at the time, I assumed that if my MDM-managed device prompted me to log in with my Apple ID, that it of course would be an allowed action.

With regards to data being shared, the only thing I noticed was wifi passwords and peripherals pairing (apple keyboard).

Logging in takes control of your device out of your hands.

They had one of the cheapest registration costs. And so ended up with a high concentration of spammers compared to older established tld’s like dot com. Using the tld for legitimate purposes is really challenging due to the high number of systems that flat out blacklist it.

xyz has been accomodating to scammers ever since its inception. After a decade I think we can say that it is on purpose.

The problem stems from nefarious groups getting a hold of email addresses and running distributed dictionary attacks.

Apple’s response is to prevent all logins (including valid ones) from accounts that are under attack.

Unlocking the account involves calling Apple, they’re not going to tell you why the account was locked.

I use [REDACTED] as a provider and I create an email address/account (if possible) per company/domain I interact with (e.g.: [email protected] or [email protected]). This produces two results:

1. No shared credentials across any space.

2. Any junk emails to these addresses immediately tells me who's sold it (or been hacked) and I delete the account[s] and relevant email aliases and get on with my day.

Some services, like Firefox, are starting to offer a form of "hide my email address" but this doesn't solve the problem of using as the same login id across a lot of services. If that was dumped somewhere, it is probably a strong bet someone has used that as their login, elsewhere.

I don't know if there's another viable solution - but this reduction of possible login ids to one unique id per site is the only way I know how to (possibly) prevent myself from being an easy dictionary attack target.

Edit: formatting

zero issues since.

> The problem stems from nefarious groups getting a hold of email addresses and running distributed dictionary attacks.

years back my email was leaked by a website that i never visited. apparently someone signed up using my email address and the website never verified the email.

in the meantime more and more people used the same email address [0] to signup everywhere (it’s not the same person, i checked).

[0] gmail ignores dots in usernames: https://support.google.com/mail/answer/7436150?hl=en#:~:text....

at this point my emails should be random hashes@random hash domain

For example I give custom email addresses to every service I sign up for, then I can see who they on-sold that information to, or if the email address turns up in database hack.

The only thing to be mindful about with this approach is to choose a service that gives you a fair bit of control over how to manage that incoming email. Such as being able to bounce or block specific email addresses including the use of wildcards, because I notice some hacking groups will try permutations based on the original email address.

Does account sign-in also ignore dots? If not, if sign-in is sensitive, there's a path to somewhat better safety: Start incrementally moving all daily email to variants containing added dot characters.

Got a message on her phone (settings notification). She had to change her password through the settings app.

Called Apple just to check and they said they weren’t seeing any weird activity. That they did see the password was changed, but no weird login or attempted logins.

So, in my sample of 1, that wasn’t the case.

In the app we have released, we use an email (we don’t care which one, as long as it can receive email) as the login ID.

The main reason is to limit the data we require be stored on the server.

We only have one required PID item: the login ID. The user also enters a display name, but that can be anything, and does not need to be unique.

Since we need the email anyway, we would need to have it stored separately, so this means only one PID item is stored. We also afford Sign in with Apple, which allows the user to obfuscate their email.

Not having the information is the best way to ensure it doesn’t leak.

Can only advise that you should have recovery contacts and a recovery key set up in case something goes wrong.

The email addresses ending in @icloud.com are scraped from a master list and the attack is directed to apple, while the custom domains are ignored because there is work involved in figuring out where those are hosted.

iCloud lets the user generate secondary email addresses, it’s better to use that and keep the login email address secret.

Seems like a dangerous advice for a regular person who can just go to Apple and get stuff back?

Regular person can’t even remember their email address so a good point though.

I ask because Apple's docs helpfully say

> If you decide to stop using a recovery key, follow the steps above on your device and turn off recovery key. When you do, you can use account recovery to regain access to your Apple ID.

But the "steps above" only describe how to turn it on, not off.

Edit: thank you.

My Apple ID uses a unique password, I keep a recovery key, I don't have its login credentials saved anywhere, and it's a dev account; so I have my LLC's DUNS number attached to it. My devices are the only ones listed in my settings portal.

I have no idea why I get these notifications, lol.

Perhaps so that someone who found your iphone unlocked can't just keep using it and your iCloud in perpetuity?

Yeah, that's what I tried to guess too. Like, maybe those are sent periodically?

Could be there's some heuristics like "logged in from a different city" or such, too.

Or a device on your network is or was compromised and used as a channel to attack others on the internet.

Or your ISP has given you a public address where the last owner was abusing it.. or perhaps the whole ISP block has been added to a shitlist.