Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • hubb
    • By hubb 15th Jun 17, 9:54 AM
    • 1,813Posts
    • 358Thanks
    hubb
    How did someone use my Apple ID ?
    • #1
    • 15th Jun 17, 9:54 AM
    How did someone use my Apple ID ? 15th Jun 17 at 9:54 AM
    I was emailed by Apple that someone with a strange username had signed into my account with an ipod (which I do not own) and that they were suspicious that it was fraudulent. It was so I went to my account (not via the email just incase) and changed my password. But my main concern is how did someone else get my email, and more importantly my password to sign into my account ? I checked the email was legit which it was as they addressed it to my name, not just "dear customer" or something like these scams use.
Page 1
    • another casualty
    • By another casualty 15th Jun 17, 10:53 AM
    • 3,035 Posts
    • 4,868 Thanks
    another casualty
    • #2
    • 15th Jun 17, 10:53 AM
    • #2
    • 15th Jun 17, 10:53 AM
    Could it be a family member ? Home sharing ?
    • simonineaston
    • By simonineaston 15th Jun 17, 10:54 AM
    • 102 Posts
    • 48 Thanks
    simonineaston
    • #3
    • 15th Jun 17, 10:54 AM
    • #3
    • 15th Jun 17, 10:54 AM
    Ask Apple for more info.
    • hubb
    • By hubb 15th Jun 17, 11:11 AM
    • 1,813 Posts
    • 358 Thanks
    hubb
    • #4
    • 15th Jun 17, 11:11 AM
    • #4
    • 15th Jun 17, 11:11 AM
    No family member, just me.
    • angryparcel
    • By angryparcel 15th Jun 17, 11:48 AM
    • 910 Posts
    • 520 Thanks
    angryparcel
    • #5
    • 15th Jun 17, 11:48 AM
    • #5
    • 15th Jun 17, 11:48 AM
    have you mentioned the ID to anyone or send it to anyone through email
    • I have spoken
    • By I have spoken 15th Jun 17, 12:18 PM
    • 4,963 Posts
    • 9,656 Thanks
    I have spoken
    • #6
    • 15th Jun 17, 12:18 PM
    • #6
    • 15th Jun 17, 12:18 PM
    I suspect the Apple email was a phishing attempt, you'd need to look at the trace of where it came from.
    • kwikbreaks
    • By kwikbreaks 15th Jun 17, 12:36 PM
    • 8,841 Posts
    • 4,419 Thanks
    kwikbreaks
    • #7
    • 15th Jun 17, 12:36 PM
    • #7
    • 15th Jun 17, 12:36 PM
    A very common way any id and password gets compromised is through phishing. You seem to be aware of the risk now but could you have been careless in the past? Or this one could still be a scam even with your name included - https://www.theguardian.com/money/2016/apr/23/iphone-ipad-icloud-scam-storage-login
    Carefully checking where anylogin link from it would take you would be instructive.

    Another possibility if you used the same user/password combination in more than one place is that a site you've used has been hacked and your details sold. https://haveibeenpwned.com/ lists many known security breaches.

    Finally and least likely imo is that you have a key logger lurking on one of your machiches so a Malwarebytes scan wwouldn't go amiss.
    • almillar
    • By almillar 15th Jun 17, 1:08 PM
    • 7,088 Posts
    • 2,847 Thanks
    almillar
    • #8
    • 15th Jun 17, 1:08 PM
    • #8
    • 15th Jun 17, 1:08 PM
    Either this:
    I suspect the Apple email was a phishing attempt, you'd need to look at the trace of where it came from.
    >what is the email address this 'appeared' to come from?

    or this
    someone with a strange username had signed into my account
    *Attempted to*. Read the email carefully again. If that's the case, I could guess john.smith@hotmail.com and *attempt to* sign into his account. You did right by not clicking any links in the email of course.
    • hubb
    • By hubb 15th Jun 17, 8:18 PM
    • 1,813 Posts
    • 358 Thanks
    hubb
    • #9
    • 15th Jun 17, 8:18 PM
    • #9
    • 15th Jun 17, 8:18 PM
    A very common way any id and password gets compromised is through phishing. You seem to be aware of the risk now but could you have been careless in the past? Or this one could still be a scam even with your name included - https://www.theguardian.com/money/2016/apr/23/iphone-ipad-icloud-scam-storage-login
    Carefully checking where anylogin link from it would take you would be instructive.

    Another possibility if you used the same user/password combination in more than one place is that a site you've used has been hacked and your details sold. https://haveibeenpwned.com/ lists many known security breaches.

    Finally and least likely imo is that you have a key logger lurking on one of your machiches so a Malwarebytes scan wwouldn't go amiss.
    Originally posted by kwikbreaks
    No, I never follow links from emails as very aware of phishing.
    .
    Last edited by hubb; 15-06-2017 at 9:43 PM.
    • Sharon87
    • By Sharon87 15th Jun 17, 11:19 PM
    • 3,507 Posts
    • 2,976 Thanks
    Sharon87
    Was the apple email real? I have seen a lot of convincing looking phishing emails from Apple/iTunes before saying someone's bought something. The email looks very convincing, I think it even had my name (my name is also in my email, so easy to know!)

    If it's real, then there are many ways people to get into your account - your computer's been compromised or a company's computer with your information on has been compromised (which has happened a lot recently!) and as others have said, if you use the same username/password combo, then someone's chanced it to see if it works.
    • Strider590
    • By Strider590 16th Jun 17, 8:29 AM
    • 11,622 Posts
    • 6,529 Thanks
    Strider590
    I would say it was a phishing email and if OP followed a link to change their account details, then they've fallen for it.
    I may not agree with you, but I will defend to the death your right to make an a** of yourself.

    <><><><><><><><><<><><><><><><><><><><><><> Don't forget to like and subscribe \/ \/ \/
    • surfsister
    • By surfsister 16th Jun 17, 9:57 AM
    • 7,232 Posts
    • 10,693 Thanks
    surfsister
    yes I've had loads of these and I don't even use apple!!

    a tip I was told to stay secure never click on a link in an email but type into the bar at the top to go in securely.

    I also get tax ones - here is a tax scam at the moment to get bank details.
    • hubb
    • By hubb 16th Jun 17, 11:21 AM
    • 1,813 Posts
    • 358 Thanks
    hubb
    Here is the exact text but it does display my full name as well as email address, something all phishing emails in the past have failed to do.

    Dear **********,
    Your Apple ID (*******@gmail.com) was used to sign in to iMessage on an iPod named “ossex's iPhone”.
    Date and Time: 14 June 2017, 8:59 AM PDT
    Operating System: iOS 6.1.6
    If the information above looks familiar, you can disregard this email.
    If you have not recently signed in to an iPod with your Apple ID and believe someone may have accessed your account, go to Apple ID (https://appleid.apple.com) and change your password as soon as possible.
    Sincerely,
    Apple Support


    Apple ID | Support | Privacy Policy
    Copyright 2017 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. All rights reserved.
    • angryparcel
    • By angryparcel 16th Jun 17, 11:32 AM
    • 910 Posts
    • 520 Thanks
    angryparcel
    Here is the exact text but it does display my full name as well as email address, something all phishing emails in the past have failed to do.

    Dear **********,
    Your Apple ID (*******@gmail.com) was used to sign in to iMessage on an iPod named “ossex's iPhone”.
    Date and Time: 14 June 2017, 8:59 AM PDT
    Operating System: iOS 6.1.6
    If the information above looks familiar, you can disregard this email.
    If you have not recently signed in to an iPod with your Apple ID and believe someone may have accessed your account, go to Apple ID (https://appleid.apple.com) and change your password as soon as possible.
    Sincerely,
    Apple Support


    Apple ID | Support | Privacy Policy
    Copyright 2017 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. All rights reserved.
    Originally posted by hubb
    that means nothing and will look genuine, what you need is the email header information that will show the original senders IP

    This is what a header will look like. this is one i got from a spammer based in china

    From - Mon Jun 12 16:48:27 2017
    X-Account-Key: account3
    X-UIDL: UID5085-1393420719
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <neha@blackyun.net>
    Delivered-To: ****@****-*****.co.uk
    Received: from *****.******.info
    by *****.******.info(Dovecot) with LMTP id Mj8cG5C3PlnfKwAAS9ey6w
    for <****@****-*****.co.uk>; Mon, 12 Jun 2017 16:47:28 +0100
    Return-path: <neha@blackyun.net>
    Envelope-to: ****@****-*****.co.uk
    Delivery-date: Mon, 12 Jun 2017 16:47:28 +0100
    Received: from mx026.blackyun.net ([59.110.20.214]:35138)
    by *****.******.info with esmtp (Exim 4.89)
    (envelope-from <neha@blackyun.net>)
    id 1dKRYg-0002rd-NW
    for ****@****-*****.co.uk; Mon, 12 Jun 2017 16:47:28 +0100
    Received: from mx026.blackyun.net (localhost [127.0.0.1])
    by mx026.blackyun.net (Postfix) with ESMTPA id 45E5518B9A4
    for <****@****-*****.co.uk>; Mon, 12 Jun 2017 23:08:45 +0800 (CST)
    To: ****@****-*****.co.uk
    Message-ID: <4ea11cb52ad52348b85ab1b1241b9e54@mx026.blackyun.n et>
    Date: Mon, 12 Jun 2017 22:58:05 +0800
    From: "Selina" <toys1258@126.com>
    Reply-To: toys1258@126.com
    MIME-Version: 1.0
    X-Mailer-LID: 1279
    List-Unsubscribe: <http://mx026.blackyun.net/unsubscribe.php?M=21449726&C=694fa3b26e5020c56ec0c 41ce4fdcb11&L=1279&N=1258>
    X-Mailer-RecptId: 21449726
    X-Mailer-SID: 1258
    X-Mailer-Sent-By: 13
    Content-Type: multipart/mixed; charset="UTF-8"; boundary="b1_2ab86b6110e8255bdd6367a5a8106562"
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    X-Spam-Status: Yes, score=13.7
    X-Spam-Score: 137
    X-Spam-Bar: +++++++++++++
    X-Spam-Report: Spam detection software, running on the system "greywood.serverrackone.info",
    has identified this incoming email as possible spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.

    Content preview: Re: Factory direct Wholesale HAND SPINNER and FIDGET CUBE
    My Dear Friend , This is Selina from China,I know that you are in field of
    TOYS,I'd like to recommend you our product. [...]

    Content analysis details: (13.7 points, 3.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: blackyun.net]
    2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
    [59.110.20.214 listed in psbl.surriel.com]
    1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
    [URIs: blackyun.net]
    0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
    (toys1258[at]126.com)
    -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
    domain
    0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
    (toys1258[at]126.com)
    0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
    domains are different
    -0.0 SPF_PASS SPF: sender matches SPF record
    4.2 BAYES_80 BODY: Bayes spam probability is 80 to 95%
    [score: 0.8399]
    1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
    above 50%
    [cf: 100]
    0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    [cf: 100]
    1.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
    freemail headers are different
    1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
    freemails
    X-Spam-Flag: YES
    Subject: ***SPAM*** Re:re:Re(2):your order of Hand Spinner

    --b1_2ab86b6110e8255bdd6367a5a8106562
    Content-Type: multipart/alternative;
    boundary="b3_2ab86b6110e8255bdd6367a5a8106562"

    --b3_2ab86b6110e8255bdd6367a5a8106562
    Content-Type: text/plain; format=flowed; charset="UTF-8"
    Content-Transfer-Encoding: 8bit
    • hubb
    • By hubb 16th Jun 17, 11:55 AM
    • 1,813 Posts
    • 358 Thanks
    hubb
    I'm sorry but I don't know how to find this info. Windows live mail is not showing it.
    • donnac2558
    • By donnac2558 16th Jun 17, 11:56 AM
    • 2,362 Posts
    • 1,962 Thanks
    donnac2558
    Netflix phishing scams now doing the rounds as well. Loads of Amazon cancelling your order ones too.

    I have had the Apple one as well and don't even own an Apple. Just deleted without opening.
    • angryparcel
    • By angryparcel 16th Jun 17, 12:11 PM
    • 910 Posts
    • 520 Thanks
    angryparcel
    I'm sorry but I don't know how to find this info. Windows live mail is not showing it.
    Originally posted by hubb
    To view all an email message's headers in Windows Live Mail, Windows Mail or Outlook Express:

    1) Highlight the message in the Windows Live Mail, Windows Mail or Outlook Express message list.
    2) Click on the message with the right mouse button.
    3) Select Properties from the context menu.
    4) Switch to the Details tab.
    • Ant555
    • By Ant555 16th Jun 17, 12:14 PM
    • 719 Posts
    • 277 Thanks
    Ant555
    You have changed your password which was very wise.

    If you log in now then do you see this 'suspect' ipod listed in your devices?

    If not then it was almost certainly was a phishing email, if it IS there then someone knows your previous Apple credentials.

    By The way if you log in to iCloud and can see the suspect ipod then you should be able to wipe/erase/put in lost mode remotely.
    • Ant555
    • By Ant555 16th Jun 17, 12:33 PM
    • 719 Posts
    • 277 Thanks
    Ant555
    PS - if you go to this web site and enter your email address it will check it against the millions of email addresses that have been hacked and shared online due to companies being compromised. If your mail address was stolen in one of the many data breaches then they might have also got your real name or even addresses etc and that is how the 'bad people' can construct an email that looks real.

    https://haveibeenpwned.com/

    Note that the Exploit.in 'leak' is a body of work where someone on the bad side of the fence has spent time and effort to join together all the other data breaches and is offering for sale a list of up to 800 million email/password combos that have been stolen in all the other breaches put together!

    Hope this helps.
    Last edited by Ant555; 16-06-2017 at 12:39 PM.
    • hubb
    • By hubb 16th Jun 17, 12:36 PM
    • 1,813 Posts
    • 358 Thanks
    hubb
    Good news — no pwnage found!


    Here is the header.

    Received: by 10.74.172.199 with SMTP id c7csp379347oon;
    Wed, 14 Jun 2017 09:00:16 -0700 (PDT)
    X-Received: by 10.84.218.141 with SMTP id r13mr816975pli.67.1497456015967;
    Wed, 14 Jun 2017 09:00:15 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1497456015; cv=none;
    d=google.com; s=arc-20160816;
    b=M/tFXAeeJB+g+TiKcKx6W+SQFUViuC84SdAzZbL/vCct2Ys7r9BOpLjVF0H2+B6dSK
    GJ7OTvI4oI2zxvxcEvMughIs3FCwxGmkZMjEqtYx1L7ffwUfSM 16gH2bdv1vOXkaaxVw
    nL02CsFfHd4ME8xFQ7kGfHGUyfxjEuq7pUE+vBiAFd0BzooqCT skMX0/n1VgN9m/Rf5l
    kozbU0gvfCz2YJuMZqBeIekcewtlU9CAP9cOgNW2Yck7lMF+Ou IlrJHudCodqHexbIJD
    6HTDiPLgqHRhq8WEhUC/zaW9ACJN2uy2Ga61uL3DQtqAsNZAOTnNp0my1tLBl5mRVtaj
    +GaQ==
    Last edited by hubb; 16-06-2017 at 12:51 PM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

1,315Posts Today

8,015Users online

Martin's Twitter