29 comments

[ 6.0 ms ] story [ 102 ms ] thread
If that's a an accurate account of what happened, that really is just unacceptable.
If it's true, it's far beyond unacceptable. If true, there is absolutely no way to secure an Apple ID.
It's a good example of why some of us don't trust cloud computing/storing your data online with any random company.

If the very well funded Apple can screw up this badly, just think what most places could manage.

Incredible. Someone should probably get fired for this - not the poor sod who changed the account details, but probably the person in charge of customer service processes for .mac. That's just... appalling.

I also look forward to seeing Apple's response (or to hearing comments from any Appleistas on this site?).

I can't imagine anyone acting upon that email. It made no sense whatsoever. Might as well as "password, please give me at marko.blah@yahoo.com"

That's ridiculous.

Although, in their defense, what do you think most legitimate support emails from actual customers look like? This can't have been far off.

But still, their security process has a hole big enough to drive a truck through.

True enough. But yeah, definitely should've been a followup, one without the password to the account.
Kudos to Apple Support - they responded to that grammatical marvel of an email so fast!

The poor guy probably will probably need to spend weeks undoing their mess... Can't wait for Apple's response.

(comment deleted)
I bet that redacted portion of the email address is Karppinen
He mentions in the post that it was a name other than his own:

"Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?"

(comment deleted)
Apple just works. Even when you ask for someone's password.
Nice one...lol
... now eagerly awaiting a Mac vs PC parody of this event.

Anyone got good suggestions?

Mac hackers have an easy to use interface to gain passwords.

PC hackers don't need passwords.

PS: I can almost feel my karma burn.

Mac: Hi, I'm a Mac.

PC: (Standing behind windows firewall pictured here: http://obligement.free.fr/images/windows_firewall.jpg) Welcome, commercial viewer #3113452. Please enter your password.

Mac: PC, what's going on? We're just doing a commercial.

PC: You can't be too safe these days, with viruses and hackers all around the internet.

Mac: Well, yes, actually. You CAN be too safe.

PC: What do you mean?

Mac: Well, with our new MobileMe (.mac) service, you don't need passwords. It's all part of our new "Mac Experience" program.

PC: Really? That doesn't sound very secure.

Mac: Actually, it's very secure. You see, in order to log in to your MobileMe service, all you need to do is contact customer service. By giving out passwords through customer service, we add an extra level of security through a human interface. That makes it nearly impossible to make a mistake.

PC: Sounds good. (As he steps around the "firewall") I thought this whole password-security thing sounded silly.

On screen: MobileMe, you could be anyone.

End

Absolutely unacceptable. If anything, the reset password instructions should have been sent, and nothing else.

On the other hand, Apple now has an incredible PR/customer relations opportunity. Could you imagine if Apple cam back to him with free products, free .mac (mobileme) subscription, and a team of people to help re-secure his information? If that happened to me I would feel that they did their part in restoring my confidence. I doubt this is an exploitable loophole in account security as much as it is simply a fluke or blunder on behalf of one man in a customer support center.

Disappointment #2 is storing the passwords in plain text.
Where do you see any indication that passwords are stored in plain text?

The password reset options I see just give you a way to change the password, not retrieve your existing password.

I'm assuming that the writer wasn't making things up when he said that .mac support gave someone his password.
His password was changed, so I would assume .mac support gave the guy a link to reset the password.
The password was given out, or the password was changed? Encryption, people...
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

My response, even if I were a paid customer service rep, would have been: "What?"

Seriously, "did" instead of "could"? No capital letters? No space between the comma and "did"? Etc. etc. etc. The mail just doesn't make any sense. Reading it makes me want to cry.

> did you give me password on new email marko.[redacted]@yahoo.com

The reply was probably: "Yes I did. Apple thanks you for your business"

Well, it's not an excuse, but believe it or not, there are many non-native English speakers that use .mac. Some of them may even have a name that looks very similar to Marko Karppinen.
It's pretty clear that our 'personal' information just isn't so personal anymore, so I think that it's a good idea for companies that use verification questions to be very careful to determine that the verification questions that they use for password reset or identification purposes contain truly 'private' information. It's scary when I call up a bank and I can get full access to my account by just giving my account number and my mother's maiden name. Isn't that information in a database somewhere? If I'm on facebook and my mom is on facebook, how hard is it to figure that out? Genealogy websites would probably also be a great help to dig up this info.

My other favorite verification questions are "Where were you born?" and "What's your birthday?". Hm... these are also Facebook profile questions, and they're also not so hard to dig up.

I thought that my social security number was private at least, but last week (no joke) I got a letter in the mail from UPenn saying that a university researcher's laptop containing my social security number had gone missing. fun fun.

My recommendation for web developers would be to rely on users having control of their email accounts and to not allow for "security questions." And if there is a problem with someone's email account being hacked, speak with the customer and use your common sense to resolve the situation. You can always just suspend the account pending the outcome of your 'investigation'. But please please don't outsource this 'investigation' task to people who lack communication skills and/or common sense. (e.g. PayPal, eTrade, Citibank & Dell)

Hmm, and I thought I was clever when I put that my "mother's maiden name" (or whatever asinine question they ask) was a GUID. Apparently there's an easy workaround to my security..