Tell HN: Apple refuses to delete a personal domain Apple ID that I didn't create
This happens every few months and I have usually ignored them because my understanding is that Apple wouldn't allow usage of that Apple ID if the email address is not verified. Since this happens every few months, I decided to act on it this time: instead of clicking on "verify now" on the email I received, I worked through the password reset flow and managed to set a new password to the account.
However, attempting to delete the Apple ID account prompts for answers to security questions, which I don't have because I did not create the account in the first place.
There's a flow to reset security questions as well, but that prompts for an answer to the existing questions.
In chatting with an Apple support member, there's apparently a concept of "rescue email" which is different from the Apple ID and can be used to set new security question answers if the old ones are unknown. I don't get that option which indicates that the account doesn't have a rescue email set.
Since all of my available options are fruitless, I asked that the chat support member escalate my case to a higher-up and they offer to arrange of a phone support because supervisors seem to be available only on phone support. That's not ideal for me because I am a deaf person and I don't sign, and for the reason that I don't want my mobile number to be associated with this Apple ID that I didn't create.
At this point, I am curious to hear if anyone else has ever been in this situation and to understand how you've gotten out of it. I can't imagine that this is an isolated case.
Disabling catch-all on my domain isn't a solution because that'd just make me unaware of new accounts that are being created on my domain. Shouldn't Apple be hard-verifying the email address before allowing any type of usage?
26 comments
[ 11.8 ms ] story [ 62.1 ms ] threadIn my case, I got a real human on the phone and we walked through reclaiming my own account; when I got in, I could see the Korean's actual name, visa card, address, etc. I erased all that, then setup 2 factor authentication.
Something like that happened on battle.net. They are not smart enough to use email validation, so imagine my surprise when my email was already used when I decided to sigh up. I managed to reset the pwd, so that fellow will never be able to play again on that account, but battle has not really been satisfactorily responsive (the account seems rigged for talking in Korean, so it's useless); I ended up using a different email.
Websites which don't use email validation are problematic.
But, Apple does pay attention. It does seem that they should pay more attention to you and your specific case.
Seriously, even large companies should've made email verification mandatory not only in case of user error, but malicious, or just plain annoying use of other people email address. Not to mention getting account banned and unable to use your email on platform when you might actually need it.
Back to the topic: now that you've changed password on account, maybe you could just leave it as is, that way no one will be able to re-create mentioned account again. Although that still leaves the opportunity for malicious user trying to recover that account, but I'd bet he doesn't know security answers either.
And it's not just limited to not-tech-savvy Americans either: I get Canadians, Australians, Brits, etc. all using my email address as if it were their own. One added 'benefit' from this is that by receiving all of these emails for other FName LName people who mistakenly use my email address it muddies the data that Google sells to Facebook. Having made a Facebook account many years ago that has been dormant for over a decade I was surprised to see upon logging into the Facebook account that "my purchases" at [American chain store] were being used to make recommendations on Facebook. I've never purchased anything that [American chain store] in my life, but I do receive DOZENS of e-receipts for a person in South Carolina who has electronic receipts sent to my email address for $1,000 home goods items. Additionally, the ads that Facebook shows me also conveys that their ad system thinks that I'm a healthcare worker in Australia because I received an Australian healthcare worker's test results / certification to practice as a healthcare worker at my FName.LName@gmail.com email address.
As a result, you are the one who get to answer the police: you are the one easy to identify, the fraud guys use a VPN.
For some services, this also means the legitimate user gets flagged and banned for fraud.
I was fortunate enough to get my not so uncommon name as my gmail address. I must be the only person not using it anymore. I've tried getting PayPal and Uber and to delete the accounts other people have created using this gmail, but no luck. Circular, bot-like responses from Uber, no response from PayPal. I can't take over the accounts as the users have added a phone number. Similarly, kinda, but I'm locked out of a Bandcamp account as they send a verification code to me@domain-i-no-longer-own.com whew.
Apple Support was happy to shut down the account for me given that I didn't want access to it, but instead just wanted it disabled so that it couldn't be used. If you're trying to get access to the account Apple is going to be understandably resistant given that even if it was setup in error it may contain sensitive information sync'd from a device.
You can request that they disable the account and make it so that the email address cannot be used to sign up again. Given that this was a random address you may need them make some kind of filter for your domain. Also, given that it sounds like you catch all email that goes to any address for your domain you've basically removed a way to know if addresses are in fact legit since they don't bounce email. That may be why your domain was used for this purpose in the first place.
I used to e-mail them to try to unsubscribe me... and nobody ever would. Now I just block them if it becomes frequent, because life's too short.
Should companies always honor your request to remove your e-mail from somebody else's account and/or delete the account? Of course. Do they? Almost never.
I'd say just forget about it. Is it worth your time to address this with Apple specifically? I doubt it. Just consider it spam and move on.
The problem is much worse with email because there's no cost to sending it so marking it as spam or blocking the sender is your only option if the sender won't unsubscribe you.
I do have some comments on the same topic.
Let’s assume Apple sends a verification email, and if we assume that the incorrect receiver (the real owner of the email address) is a malicious actor who verified the account when seeing such emails are received. The malicious actor can probably gather some information about the person who signed up using this address, but in my knowledge, cannot make further changes or make any purchases since Apple forces two factor authentication (though unfortunately, with SMS as a primary option). Any sign-in on the account prompts on the already linked devices to allow the login, following which a 2FA code will be shown on those devices to enter in the new/unrecognized device. So the risk for the person using this address is kinda low, though with the situations reversed, the risks for the person owning the domain are higher (caught for crimes uncommitted, losing the domain, etc.).
On the same topic, I’ve seen banks sending statements and transaction details without verifying the email address. This could be because the account owner gave the wrong email address by mistake or because the bank’s operations had issues processing a paper application and changed the address to something else (off by a letter, assuming that the address provided by the person has a typo, etc.). In such cases, getting the banks to correct this can range from tedious to impossible.
I don’t think email verification by sending a verification link to the email solves all the above issues. One option, which again brings similar questions, is to figure out out-of-band verification methods. I don’t think any corporation has the interest or any regulator/lawmaker/law enforcer/judiciary has the seriousness to spend time to see how this can be made better.
I did this once for a Microsoft account created under a relative's email address. I did a password reset and marked it for deletion, but whoever created the bogus account managed to get back in before the deletion request was processed. Now the email address is verified with Microsoft and not under my control whatsoever, with a phone number presumably for 2FA. :(
I figure the only chance I have to fix this is to get a job at Microsoft and go knocking on some doors...
If yes, they are required by law to delete the unwanted account due to the GDPR.
I suspect that your best bet is to use the phone support via TTY. As a non-apple customer, I was very impressed by their dedication to resolving my issue, and I hope/suspect that if you can get your case escalated they will find a way to communicate with you without audio or sign. But getting to that point may require an initial interaction with the phone system. My experience did not lead to any linkage between my phone number and the problematic iCloud account.