Tell HN: Apple refuses to delete a personal domain Apple ID that I didn't create

66 points by archb ↗ HN
I have a personal domain with catch-all email enabled. Someone signed up for an Apple ID with a scrambled (random) username on that domain, and I got notified about it on my inbox.

This happens every few months and I have usually ignored them because my understanding is that Apple wouldn't allow usage of that Apple ID if the email address is not verified. Since this happens every few months, I decided to act on it this time: instead of clicking on "verify now" on the email I received, I worked through the password reset flow and managed to set a new password to the account.

However, attempting to delete the Apple ID account prompts for answers to security questions, which I don't have because I did not create the account in the first place.

There's a flow to reset security questions as well, but that prompts for an answer to the existing questions.

In chatting with an Apple support member, there's apparently a concept of "rescue email" which is different from the Apple ID and can be used to set new security question answers if the old ones are unknown. I don't get that option which indicates that the account doesn't have a rescue email set.

Since all of my available options are fruitless, I asked that the chat support member escalate my case to a higher-up and they offer to arrange of a phone support because supervisors seem to be available only on phone support. That's not ideal for me because I am a deaf person and I don't sign, and for the reason that I don't want my mobile number to be associated with this Apple ID that I didn't create.

At this point, I am curious to hear if anyone else has ever been in this situation and to understand how you've gotten out of it. I can't imagine that this is an isolated case.

Disabling catch-all on my domain isn't a solution because that'd just make me unaware of new accounts that are being created on my domain. Shouldn't Apple be hard-verifying the email address before allowing any type of usage?

26 comments

[ 11.8 ms ] story [ 62.1 ms ] thread
Somewhat similar: my email just happens to be ideal for people in asia (read: S.Korea) to assume when they create accounts; one of them actually somehow (nobody knows how) took over my Apple dev account.

In my case, I got a real human on the phone and we walked through reclaiming my own account; when I got in, I could see the Korean's actual name, visa card, address, etc. I erased all that, then setup 2 factor authentication.

Something like that happened on battle.net. They are not smart enough to use email validation, so imagine my surprise when my email was already used when I decided to sigh up. I managed to reset the pwd, so that fellow will never be able to play again on that account, but battle has not really been satisfactorily responsive (the account seems rigged for talking in Korean, so it's useless); I ended up using a different email.

Websites which don't use email validation are problematic.

But, Apple does pay attention. It does seem that they should pay more attention to you and your specific case.

Discord treats any page load of a confirmation link as good, so to my surprise Gmail happily confirmed someone's attempt to open an account with my email address before I'd even gotten the confirmation mail. A lot of companies are very slack about email validation.
Reminds me of the time when someone has created PlayStation account using my email and I was unable to take over that account, as I did not know answers to security questions.

Seriously, even large companies should've made email verification mandatory not only in case of user error, but malicious, or just plain annoying use of other people email address. Not to mention getting account banned and unable to use your email on platform when you might actually need it.

Back to the topic: now that you've changed password on account, maybe you could just leave it as is, that way no one will be able to re-create mentioned account again. Although that still leaves the opportunity for malicious user trying to recover that account, but I'd bet he doesn't know security answers either.

It's stunning to me that Apple of all companies apparently can't get this right. If they can't, who can?
My email address is fname.lname@gmail.com and I get dozens of these account signups per year. You'd be surprised at the mobile phone companies, banks, and other accounts which do not require you to verify that an email account is yours before you are able to use that email address for your mobile phone, banking, tax returns, health insurance accounts.

And it's not just limited to not-tech-savvy Americans either: I get Canadians, Australians, Brits, etc. all using my email address as if it were their own. One added 'benefit' from this is that by receiving all of these emails for other FName LName people who mistakenly use my email address it muddies the data that Google sells to Facebook. Having made a Facebook account many years ago that has been dormant for over a decade I was surprised to see upon logging into the Facebook account that "my purchases" at [American chain store] were being used to make recommendations on Facebook. I've never purchased anything that [American chain store] in my life, but I do receive DOZENS of e-receipts for a person in South Carolina who has electronic receipts sent to my email address for $1,000 home goods items. Additionally, the ads that Facebook shows me also conveys that their ad system thinks that I'm a healthcare worker in Australia because I received an Australian healthcare worker's test results / certification to practice as a healthcare worker at my FName.LName@gmail.com email address.

Why does it matter that the account exists?
Realistically it doesn't, although it would rub me the wrong way as well if it was my domain. I guess the easiest way would just be to reset passwords for all of them and make the accounts unusable.
(comment deleted)
In case this account is used for malicious activity (this is also valid for e-shops, crypto websites, etc) then this is the information that gets sent to the law enforcement.

As a result, you are the one who get to answer the police: you are the one easy to identify, the fraud guys use a VPN.

For some services, this also means the legitimate user gets flagged and banned for fraud.

If they can create an account using a random address, they could create an account targeting someone specific.
One possible solution might be to create that account and send it to the equivalent of /dev/null.
Email Tim. I sent an email as a last resort, and an issue affecting my account was resolved a few days later. This is after about 18 months of almost weekly calls updating me about my case. Maybe a coincidence, maybe an assistant forwarded it somewhere.

I was fortunate enough to get my not so uncommon name as my gmail address. I must be the only person not using it anymore. I've tried getting PayPal and Uber and to delete the accounts other people have created using this gmail, but no luck. Circular, bot-like responses from Uber, no response from PayPal. I can't take over the accounts as the users have added a phone number. Similarly, kinda, but I'm locked out of a Bandcamp account as they send a verification code to me@domain-i-no-longer-own.com whew.

I don't know how you people do it, if I had to have 18 months of weekly calls with Apple support about an account issue before then emailing the CEO, I probably would have burned all of my Apple devices and bought a dumb phone instead.
Register for apple business manager which is free and than you can claim the domain and every account will be renamed/deleted (user has 90 days to rename it) unfortunatly you would need to create an id aswell. After that nobody can create new Accounts.
Don't you have to have an ADFS or Okta instance to set up domain federation with Apple?
I went to business.apple.com and it looks like they ask for a business id. What did you put in?
I think any ssn should work. They come from the same pool
I have been in this near exact situation, except that for me it was someone using one of my legit email addresses that isn't (or wasn't) also an Apple ID.

Apple Support was happy to shut down the account for me given that I didn't want access to it, but instead just wanted it disabled so that it couldn't be used. If you're trying to get access to the account Apple is going to be understandably resistant given that even if it was setup in error it may contain sensitive information sync'd from a device.

You can request that they disable the account and make it so that the email address cannot be used to sign up again. Given that this was a random address you may need them make some kind of filter for your domain. Also, given that it sounds like you catch all email that goes to any address for your domain you've basically removed a way to know if addresses are in fact legit since they don't bounce email. That may be why your domain was used for this purpose in the first place.

I have all sorts of "accounts" created with my Gmail address that other people mistyped. Multiple gym memberships, car dealerships, doctor's offices.

I used to e-mail them to try to unsubscribe me... and nobody ever would. Now I just block them if it becomes frequent, because life's too short.

Should companies always honor your request to remove your e-mail from somebody else's account and/or delete the account? Of course. Do they? Almost never.

I'd say just forget about it. Is it worth your time to address this with Apple specifically? I doubt it. Just consider it spam and move on.

This sounds like the same problem you'll have with the snail mail system if other people used to live at your address and forgot to inform people of their new address. Anytime I get something for somebody who doesn't live at my house, I put "NOT AT THIS ADDRESS" on it, cross out the routing barcode and stick it in a blue mailbox. Some companies honor the unsubscribe request but others don't because they apparently like wasting their money knowingly sending spam. I don't care because it gives me an excuse to get some exercise and it isn't my money being wasted.

The problem is much worse with email because there's no cost to sending it so marking it as spam or blocking the sender is your only option if the sender won't unsubscribe you.

I don’t have an answer for you, but hopefully the online noise from such posts helps.

I do have some comments on the same topic.

Let’s assume Apple sends a verification email, and if we assume that the incorrect receiver (the real owner of the email address) is a malicious actor who verified the account when seeing such emails are received. The malicious actor can probably gather some information about the person who signed up using this address, but in my knowledge, cannot make further changes or make any purchases since Apple forces two factor authentication (though unfortunately, with SMS as a primary option). Any sign-in on the account prompts on the already linked devices to allow the login, following which a 2FA code will be shown on those devices to enter in the new/unrecognized device. So the risk for the person using this address is kinda low, though with the situations reversed, the risks for the person owning the domain are higher (caught for crimes uncommitted, losing the domain, etc.).

On the same topic, I’ve seen banks sending statements and transaction details without verifying the email address. This could be because the account owner gave the wrong email address by mistake or because the bank’s operations had issues processing a paper application and changed the address to something else (off by a letter, assuming that the address provided by the person has a typo, etc.). In such cases, getting the banks to correct this can range from tedious to impossible.

I don’t think email verification by sending a verification link to the email solves all the above issues. One option, which again brings similar questions, is to figure out out-of-band verification methods. I don’t think any corporation has the interest or any regulator/lawmaker/law enforcer/judiciary has the seriousness to spend time to see how this can be made better.

> I worked through the password reset flow and managed to set a new password to the account.

I did this once for a Microsoft account created under a relative's email address. I did a password reset and marked it for deletion, but whoever created the bogus account managed to get back in before the deletion request was processed. Now the email address is verified with Microsoft and not under my control whatsoever, with a phone number presumably for 2FA. :(

I figure the only chance I have to fix this is to get a job at Microsoft and go knocking on some doors...

Do you live in the EU?

If yes, they are required by law to delete the unwanted account due to the GDPR.

I had this same experience several years ago - someone signed up for an apple ID using my corporate email. I escalated it via the phone tree, and eventually got a phone call back from some sort of manager who was able to detach my email without otherwise disrupting the person's account.

I suspect that your best bet is to use the phone support via TTY. As a non-apple customer, I was very impressed by their dedication to resolving my issue, and I hope/suspect that if you can get your case escalated they will find a way to communicate with you without audio or sign. But getting to that point may require an initial interaction with the phone system. My experience did not lead to any linkage between my phone number and the problematic iCloud account.