9to5Mac reports on a widespread Apple ID security incident where users were locked out of accounts without explanation and forced to reset passwords, documenting impacts on privacy, account security, and digital service access. The coverage acknowledges multiple human rights implications—including arbitrary detention, privacy violations, and denial of digital economic and health services—through investigative reporting and amplification of user voices, though it does not propose systemic solutions or advocate for rights remedies.
Happened to me today. First got the message on my computer that my location was unknown and needed to enter a code from the phone. By the end of it, I had to reset my Apple password. No idea why it happened.
Not sure if it’s a valid data point or not. I manage 7 people’s Apple ID accounts. This has happened a few times including twice last night but only on the people who use the @icloud.com as their primary email address. Assume that is related to password guessing attacks. Both addresses are in public email leak databases.
Can only advise that you should have recovery contacts and a recovery key set up in case something goes wrong.
I'm using my own domain for e-mail, but obviously I need another e-mail for registrar, hoster, etc. I used to use gmail for that, but recently switched to icloud as I thought gmail is too dangerous with Google banning people around. Seems Apple's no better.
I have no idea how to untangle this dependency chain. I'm using registrar in my country, so if everything goes wrong, I can just contact them with my ID and hopefully fix things up, but I'd prefer to have 100% reliable e-mail in the first place.
The thing that scared me recently was two updates that gave me new encryption keys. At first I trusted apple and wrote down the new key. But I became suspicious after the second update and checked online. It seems like it's happening to others, so I used the recommended command-line tool to verify my new encryption key and it didn't verify. Apparently it works after disabling and enabling encryption, but
I'm just keeping it disabled for now.
To this day, I still get random "Enter your password to continue using iCloud" push notifications on my iPhone with no relevant action to trigger such a notification.
My Apple ID uses a unique password, I keep a recovery key, I don't have its login credentials saved anywhere, and it's a dev account; so I have my LLC's DUNS number attached to it. My devices are the only ones listed in my settings portal.
I have no idea why I get these notifications, lol.
Only tangentially related, but I have been trying to enroll for Apple's developer program for almost 3 months now.
Understanding what the problem is is essentially impossible. Going to a physical store doesn't help, calling their customer service has them telling you to go to www.apple.com/support (???), and writing for support has them rotate you through 4 different, and decreasingly useful, representatives.
The last response I got I was told the issue had to be handled by yet a different representative and it would take an "indefinite amount of time". Which may be a nice way of them saying it's never going to happen.
It really is demoralizing when you realize there is nothing you can do really, even in cases when you have done nothing wrong.
With risk of being spammy, this is probably the most relevant discussion I've seen so far on HN w.r.t my experience of being locked out from my Apple ID.
I hope legislation will force Apple to step up and be more transparent / helpful.
I can only imagine the uproar if this was happening to the users of any other company. But it's pretty muted here with a lot of consideration given for apple rather hostility. Nice to see.
could be somewhat related, last week I had a successful login for my Apple ID from a location I didn't recognise (somewhere in central asia).
I noticed because I got a prompt on my phone, which requested I allow (or disallow) the access.
Since I'm pretty good about password hygiene and security, I of course changed my password immediately and force-signed out all my devices.
That being said: if someone has a password list and is using a bot to scan them all; Apple will of course lock-out sign-in attempts.
Not to say what they're doing is right, there's better ways to handle it. But if I were to apply very recent anecdotal data to this even then this is a meaningful conclusion I could draw.
So i'm not the only one, huh. Got myself an iPhone, downloaded 2 apps, went to bed, woke up to a complete lockout. They unblocked me through a phone support request, after 18 hours, and then hit me with a fresh ban, not even 24 hours later. Account got permabanned after like 5 more calls, where they just started sending me a legal notice instead.
The fact that your device can become a complete brick, because of an issue in their completely hands-off account management system, smells like a class action suit
I was thinking about something related yesterday.
It is amazing how big "Internet Silos"
Google, Facebook, etc provide close to no
customer support services and that we "users" have
accepted this.
Getting cut off from one of these places can have a
huge impact on people.
They happen without warning and often without explanation.
I think they ought to be forced to be more open around
the process and how to get help in general.
For Apple I have usually managed to get a hold of some support.
Often not helpful but at least somebody.
With Google and Facebook I have never been able to find anyone.
Sameting that is demonstrated on this site frequently
when someone will post a plea for someone who knows people
at Google who they can't contact on their behalf.
Since they can't get hold of anyone themselves.
(Yes I am sure its covered in the EULA several times that
there is close to no support)
(For Google Workplace it is usually possible to get a hold of someone.)
I feel like these random behind the scenes issues happen a month or two before WWDC to give Apple the foundation they need to announce new services.
I had read Apple is switching the name AppleID to be Apple Account or something similar at WWDC. Me thinks they are quietly pushing code that somehow is causing this for people.
Maybe it’s an age of account issue or some other commonality.
I signed up for an at me account twenty years ago and still use that as my living and haven’t had issues. Maybe icloud.com users?
It happened to me last night! At that moment, I froze, thinking that somehow my password had leaked and someone was trying to brute-force my MFA. At the time, I was at a restaurant celebrating my son's birthday and couldn't change the password on my phone... So I just ignored it and when I got home, I changed the password on my MacBook without any trouble.
This morning, as a precaution, I changed all my important passwords.
Been locked for almost 3 months between November 2022 and January 2023.
Apple is crazy. My iPad with the authenticator broke, and even though I filled endless forms, verified emails and phone number they just keep sending me emails I was gonna be called by support at a date 3 weeks away.
Got no call, restarted the procedure. Got called in January, and it was an automatic voicemail or something..
I literally couldn't use my work machine (had a backup desktop to use).
Needless to say, except for the MBP I sadly need for work I'm not giving apple a dime for my life.
We need to get a legal advocacy group started for dealing with digital rights (EFF isn't getting it done with consumer rights). A couple of well-funded lawsuits on behalf of wronged users will fix this with all of the vendors. This kind of thing should never happen.
I understand why people enjoy Apple products, but I will never understand why people defend the company when we all know, often through direct personal experience or the experience of someone we know, that the wealthiest company is the world has chosen to provide insultingly miserable customer support as a business decision.
This makes me want to minimize my touchpoints with any of any cloud services of the hardware I purchase to ensure I can't be locked out of my life for 18-24 hours.
|
Some people have to take care of critical dependants. I don't exist and serve at the pleasure and convenience of any aspiring digital identity provider. I actually never wanted any of them to be my digital identity.
What's convenient may also be a bigger security gap and impact than many ppl realize.
The recent threads about PalmOS phones seem timely in hindsight. With Palm devices, you installed apps yourself with a sync cable to your computer, and there was no convenient app store, no one could lock you out of your smart phone and your life. Maybe that's an option that should come back. iTunes used to backup and sync just fine.
If there's no real acknowledgement or detailed coming out about this, it's very possible it's a cybersecurity incident of some kind that is serious enough. And it's not just an Apple thing. This has or will happen with every digital identity provider.
There's no one to really pick the phone or answer an email at google or apple when it comes to your digital identity that they want to be holders and providers of.. At least with the government there's a DMV or registry to go to.
The only thing you need to own is your primary email address and as long as that’s on a domain you own then you can move it. That’s about the only independence there is these days. If you use @icloud.com or @gmail.com for everything then you’re screwed.
You have to depend on someone somewhere. Just make that dependency less of an issue should anything show stopping happen.
Personally I’d like to see some legislation around identity providers and service levels and account retention.
This also spooked me. I’m a former security professional—there are few good reasons Apple should be doing this, and it smells of a targeted attack. If I had a zero-day exploit to steal your data, this is what it would look like.
In the other hand, if Apple suddenly found out that a good chunk of encrypted volumes weren’t actually encrypted / the key was recoverable by an offline attacker, this would also explain the facts.
But the lack of explanation from Apple is troubling.
I had similar issues, and I wish I could remember what solved it. It was something stupidly dumb like I had to log out and log back in on my phone or something. There have a couple of different edge case bugs that prevent people from signing up, and Apple customer support is useless on this.
I’d say your guess is right - the accounts typically get locked because hacking groups are running attacks on lists of email addresses.
The email addresses ending in @icloud.com are scraped from a master list and the attack is directed to apple, while the custom domains are ignored because there is work involved in figuring out where those are hosted.
iCloud lets the user generate secondary email addresses, it’s better to use that and keep the login email address secret.
i also did this: created an email address that i use exclusively on apple. it actually wasn’t hard at all.
zero issues since.
> The problem stems from nefarious groups getting a hold of email addresses and running distributed dictionary attacks.
years back my email was leaked by a website that i never visited. apparently someone signed up using my email address and the website never verified the email.
in the meantime more and more people used the same email address [0] to signup everywhere (it’s not the same person, i checked).
As long as you can change your Mx records, it doesn’t matter who is hosting your email. If Apple had a problem, you could switch it to any other provider and request the reset email again, etc.
Happened to me last night. I got a push notification on my watch that I needed to update my iCloud password. I thought that this isn't right, so I went to my phone and MacBook. Same thing, those devices said I needed to change my password. So I figured someone has my @iCloud email address and tried to login. I do have hardware keys setup, so wasn't terribly worried.
But none the less, I liked my old password and had to change to something else.
I bought an iPhone a couple of days ago, and was planning on using the weekend to finally migrate from my old Android phone. Luckily, I haven't even opened the box so I should be able to return it for a full refund. No way I'm spending over $1000 for this kind of experience.
> The fact that your device can become a complete brick, because of an issue in their completely hands-off account management system, smells like a class action suit
This is HN frontpage. It's on a big "Mac" website. The damage is done.
Many are going to write nonsense like: "Apple is still a $2 trillion company, so this obviously works for them" to which I'll respond with a simple question: Did it not work for Apple before these SNAFUs? Does it work better for Apple now, after fuck ups like that?
It's not normal behavior and they are losing customers over this.
We had an Apple "moment" in the family: around the 2012'ish MacBook Air era. Two at home and they worked fine, for about ten years. Then the battery issues, the keyboard issues, the trackpad issues. Eventually these MacBook Airs died a painful death.
I'm on Linux since the nineties (and, yup, I can get into my system with Apple or Microsoft forcing an online ID down my throat) but the Macs were convenient for the wife.
So we bought a MacBook Air M1. After 13 months or so the screen died alone, overnight: was working fine before closing the lid, was dead in the morning. There are threads with dozens of pages on that subject.
That's when I switched the wife to Ubuntu. Ubuntu, Linux Mint: she doesn't care. Heck, I probably could have her use Debian or Devuan (Debian without systemd).
Apple is done for us. It's over. We'll never ever buy a Mac again and I'll never ever recommend a Mac to anyone.
And I'm far from the only one thinking that way.
The damage is done.
Rationalize as much as you want, invoke AAPL's market cap as much as you want, and enjoy being locked out of of your devices without any recourse.
Don’t want to sound like I’m victim blaming the author. But I can tell you exactly the issue with their account: registering with an email on a self hosted .xyz domain. Using sketchy tld’s is just asking for this kind of trouble.
> Google, Facebook, etc provide close to no customer support services and that we "users" have accepted this.
This is why I've always rejected the concept of vendor "ecosystems" and cloud-first SaaS solutions for my personal computing. I've also designed my life so it's not dependent on having uninterrupted access to Facebook or Gmail.
Editorial Channel
What the content says
+0.15
Article 9No Arbitrary Detention
Medium Coverage Advocacy
Editorial
+0.15
SETL
+0.12
Article exposes arbitrary account lockout without explanation or apparent due process, advocating for user rights through investigative coverage.
FW Ratio: 60%
Observable Facts
Article reports users being 'locked out of their Apple ID across all of their devices' without authorization.
Article states 'There doesn't appear to be any rhyme or reason as to why this is happening,' documenting lack of explanation.
Article notes Apple's official status page showed no issues despite widespread reports, indicating failure of communication.
Inferences
By exposing arbitrary account restrictions without warning or due process explanation, the article advocates for users' right to protection from arbitrary detention.
The documentation of unexplained digital lockout highlights violations of due process and supports awareness of this UDHR violation.
+0.15
Article 12Privacy
Medium Coverage Advocacy
Editorial
+0.15
SETL
+0.15
Article documents multiple privacy violations: forced password resets, cascade deletion of app-specific passwords, and security complications with Stolen Device Protection.
FW Ratio: 60%
Observable Facts
Article reports users are 'forced to reset their password before logging back in,' imposing involuntary privacy actions.
Article states 'if you reset your Apple ID password, any app-specific passwords you had previously set up via iCloud will be reset as well,' documenting cascade privacy violations.
Article mentions complications for users with 'Stolen Device Protection enabled,' showing secondary privacy/security vulnerabilities.
Inferences
By documenting forced password resets and automatic deletion of credentials, the article exposes violations of privacy and control over personal data.
The coverage of cascade effects on security tokens advocates for users' right to privacy and autonomy over digital credentials.
+0.15
Article 19Freedom of Expression
Medium Coverage Advocacy
Editorial
+0.15
SETL
+0.09
Article extensively amplifies user voices through direct quotes and links to multiple social media platforms (Mastodon, Twitter, Threads), advocating for user right to express concerns.
FW Ratio: 60%
Observable Facts
Article contains multiple embedded social media posts: 'I was mid FaceTime with @milesabovetech and my Apple account got locked,' 'Hey @AppleSupport all of my Apple products suddenly decided to lock me out,' and six additional user testimonials.
Article states 'A number of people on social media say that they were logged out' and links to 'Thread #1 on Mastodon, Thread #2 on Mastodon, Thread #3 on Mastodon,' plus Twitter threads showing direct user voices.
Article links to Michael Tsai's aggregation ('Michael Tsai's blog post') and 'Various responses on Twitter,' amplifying diverse user perspectives.
Inferences
By featuring extensive user-generated expressions, the article facilitates free expression and user agency in reporting their experiences.
The deliberate amplification of user voices across multiple platforms advocates for the right to freely express concerns about technology systems affecting them.
+0.10
Article 3Life, Liberty, Security
Medium Coverage
Editorial
+0.10
SETL
+0.07
Article documents security incident affecting users' digital security and accounts, raising awareness of threats to security infrastructure.
FW Ratio: 50%
Observable Facts
Article reports 'increasingly widespread Apple ID outage' affecting users' ability to access accounts securely.
Content describes users being 'locked out of their Apple ID across all of their devices,' directly impacting digital security.
Inferences
By documenting security vulnerabilities affecting large user populations, the article advocates for awareness of digital security rights.
The coverage implicitly supports users' right to secure access and protection of digital assets.
+0.10
Article 17Property
Medium Coverage
Editorial
+0.10
SETL
+0.07
Article documents denial of access to digital property (user accounts, data, app-specific passwords), raising awareness of property rights violations.
FW Ratio: 50%
Observable Facts
Article reports users unable to access 'their Apple ID' accounts across 'all of their devices.'
Article documents cascade loss of 'app-specific passwords,' indicating denial of control over digital property.
Inferences
The coverage of account access denial documents violations of users' rights to their own digital property and data.
By reporting on widespread property access denial, the article advocates for recognition of digital property rights.
+0.10
Article 22Social Security
Medium Coverage
Editorial
+0.10
SETL
+0.07
Article documents denial of access to digital economic infrastructure (App Store, payments, purchases), impacting users' economic participation rights.
FW Ratio: 50%
Observable Facts
Article reports users 'locked out of their Apple ID' which controls access to App Store, payments, and digital purchases.
Article describes lockout affecting 'all of their devices,' denying access to economic services.
Inferences
The documentation of digital economic access denial impacts users' rights to engage in commerce and economic participation.
By reporting on widespread economic service denial, the coverage advocates for recognition of digital economic rights.
+0.10
Article 25Standard of Living
Medium Coverage
Editorial
+0.10
SETL
+0.07
Article documents impact on health and wellness services through Apple Health app access denial, affecting standard of living.
FW Ratio: 50%
Observable Facts
Article mentions Apple Health as impacted by the lockout incident.
Article describes users locked out of 'all of their devices,' denying access to health-related applications.
Inferences
The coverage of health app access denial documents impacts on users' rights to health and standard of living.
By reporting on health service disruption, the article raises awareness of impacts on health-related UDHR rights.
+0.10
Article 28Social & International Order
Medium Coverage Advocacy
Editorial
+0.10
SETL
0.00
Article provides factual information about system vulnerability affecting users and seeks accountability from Apple, supporting right to information about systems affecting people.
FW Ratio: 60%
Observable Facts
Article provides detailed, factual reporting: 'Apple users are being locked out of their Apple IDs with no explanation.'
Article documents both internal observation ('A few of us here at 9to5Mac have also been directly affected') and external reports, providing evidence-based information.
Author states 'I've asked Apple for more information and will update if I hear anything back,' demonstrating accountability-seeking journalism.
Inferences
The article serves a critical function in providing public information about vulnerability in systems that affect millions of users.
By investigating and publishing the incident and seeking Apple comment, the coverage advocates for the right to information about technology systems affecting people's rights.
+0.05
Article 8Right to Remedy
Medium Coverage
Editorial
+0.05
SETL
ND
Article documents remedy process available to users (password reset) but emphasizes forced nature of the remedy.
FW Ratio: 50%
Observable Facts
Article describes users being 'forced to reset their password before logging back in,' indicating access to remedy mechanism.
Inferences
The coverage of available remedy (password reset) mildly supports the right to effective remedy, though remedy is mandatory rather than voluntary.
+0.05
Article 26Education
Low Coverage
Editorial
+0.05
SETL
ND
Article implicitly covers education through mention of Apple devices and app access denial, though education is not primary focus.
FW Ratio: 50%
Observable Facts
Article describes lockout of 'all of their devices,' which may include educational applications.
Inferences
The lockout potentially impacts educational app access, though not explicitly emphasized in coverage.
0.00
PreamblePreamble
Low
Editorial
0.00
SETL
ND
Article does not engage with philosophical framework of universal human dignity or inherent rights to all members of human family.
0.00
Article 1Freedom, Equality, Brotherhood
Low
Editorial
0.00
SETL
ND
Article treats all affected users equally in reporting without discrimination by status or characteristic.
0.00
Article 2Non-Discrimination
Low
Editorial
0.00
SETL
ND
Article does not discriminate based on protected characteristics in reporting.
0.00
Article 7Equality Before Law
Medium
Editorial
0.00
SETL
ND
Article reports potential arbitrary treatment of users ('no rhyme or reason') but maintains neutral documentary stance rather than advocacy.
FW Ratio: 50%
Observable Facts
Article states 'There doesn't appear to be any rhyme or reason as to why this is happening,' documenting arbitrary treatment.
Inferences
The neutral reporting of arbitrary treatment presents factual documentation without advancing a position on equality rights.
ND
Article 4No Slavery
Not covered in this article.
ND
Article 5No Torture
Not covered in this article.
ND
Article 6Legal Personhood
Not covered in this article.
ND
Article 10Fair Hearing
Not covered in this article.
ND
Article 11Presumption of Innocence
Not covered in this article.
ND
Article 13Freedom of Movement
Not covered in this article.
ND
Article 14Asylum
Not covered in this article.
ND
Article 15Nationality
Not covered in this article.
ND
Article 16Marriage & Family
Not covered in this article.
ND
Article 18Freedom of Thought
Not covered in this article.
ND
Article 20Assembly & Association
Not covered in this article.
ND
Article 21Political Participation
Not covered in this article.
ND
Article 23Work & Equal Pay
Not covered in this article.
ND
Article 24Rest & Leisure
Not covered in this article.
ND
Article 27Cultural Participation
Not covered in this article.
ND
Article 29Duties to Community
Not covered in this article.
ND
Article 30No Destruction of Rights
Not covered in this article.
Structural Channel
What the site does
+0.10
Article 19Freedom of Expression
Medium Coverage Advocacy
Structural
+0.10
Context Modifier
ND
SETL
+0.09
Free distribution model enables public access to diverse user expressions; site structure supports amplification of user voices.
+0.10
Article 28Social & International Order
Medium Coverage Advocacy
Structural
+0.10
Context Modifier
ND
SETL
0.00
Free distribution model ensures public access to information about systemic issues; site provides investigative platform.
+0.05
Article 3Life, Liberty, Security
Medium Coverage
Structural
+0.05
Context Modifier
ND
SETL
+0.07
Site distributes security incident information freely, enabling public awareness of digital security threats.
+0.05
Article 9No Arbitrary Detention
Medium Coverage Advocacy
Structural
+0.05
Context Modifier
ND
SETL
+0.12
Site provides platform for documenting and exposing arbitrary digital detention, supporting accountability.
+0.05
Article 17Property
Medium Coverage
Structural
+0.05
Context Modifier
ND
SETL
+0.07
Site provides public information about digital property access violations, supporting user awareness.
+0.05
Article 22Social Security
Medium Coverage
Structural
+0.05
Context Modifier
ND
SETL
+0.07
Site provides public information about economic access violations, supporting user awareness.
+0.05
Article 25Standard of Living
Medium Coverage
Structural
+0.05
Context Modifier
ND
SETL
+0.07
Site provides information about health service access violations.
0.00
Article 12Privacy
Medium Coverage Advocacy
Structural
0.00
Context Modifier
ND
SETL
+0.15
Site's ad tracking infrastructure undermines privacy protections, offsetting information provision; zero due to advertising tracking visibility.
ND
PreamblePreamble
Low
Not applicable to preamble.
ND
Article 1Freedom, Equality, Brotherhood
Low
Not applicable at article level.
ND
Article 2Non-Discrimination
Low
Not applicable at article level.
ND
Article 4No Slavery
Not applicable.
ND
Article 5No Torture
Not applicable.
ND
Article 6Legal Personhood
Not applicable.
ND
Article 7Equality Before Law
Medium
Not applicable at article level.
ND
Article 8Right to Remedy
Medium Coverage
Not applicable at article level.
ND
Article 10Fair Hearing
Not applicable.
ND
Article 11Presumption of Innocence
Not applicable.
ND
Article 13Freedom of Movement
Not applicable.
ND
Article 14Asylum
Not applicable.
ND
Article 15Nationality
Not applicable.
ND
Article 16Marriage & Family
Not applicable.
ND
Article 18Freedom of Thought
Not applicable.
ND
Article 20Assembly & Association
Not applicable.
ND
Article 21Political Participation
Not applicable.
ND
Article 23Work & Equal Pay
Not applicable.
ND
Article 24Rest & Leisure
Not applicable.
ND
Article 26Education
Low Coverage
Not applicable at article level.
ND
Article 27Cultural Participation
Not applicable.
ND
Article 29Duties to Community
Not applicable.
ND
Article 30No Destruction of Rights
Not applicable.
Supplementary Signals
How this content communicates, beyond directional lean. Learn more
build ef36a6c+2y0s · deployed 2026-02-28 14:01 UTC · evaluated 2026-02-28 14:07:24 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.