Three years later, Adam is no closer to recovering his account.
'There’s a lifelong risk hanging over me'
Adam (not his real name), an airline pilot from Cheshire, fell victim to a clever phishing email in 2022.
The email was seemingly from the Apple Store and referred to a subscription from a cryptocurrency tracker that he didn't recognise.
Adam clicked the link, which triggered a two-factor authentication (2FA) security code – the police later confirmed that this was via an IP address linked to Hong Kong – which he duly entered on the website, assuming it would grant access to his Apple subscriptions. When this failed, he realised something wasn’t right.
‘In a matter of minutes, the fraudsters had signed me out of all devices, erased my phone via the "Find My" app, downloaded my data onto their devices and changed the trusted number on my account.'
The hackers now had full access to three terabytes of data via iCloud storage, including family photos and scanned bank statements, birth certificates and passports. Yet more disturbing, Adam believes criminals also had access to his children’s linked Apple accounts, which potentially meant they could track their activity and location.
In the weeks and months after the attack, Adam spoke to Apple Support many times and visited a physical Apple Store three times, but he can’t recover his account because he doesn’t know the ‘trusted’ phone number used by the criminals.
Find out more:Taking on a Titan
Apple told Adam that it needs to follow strict security guidelines when assessing the right to access an account. It has refused to budge despite there appearing to be reams of evidence, including a police report, that he was a victim of a sophisticated attack.
Resorting to the legal route, he pursued a small claims court case, obtaining a default judgment in his favour. However, Apple drew out the big guns and hired a barrister to 'tear apart' his claim, apparently on the basis that it had not been properly served with court documents or given sufficient time to respond.
Although this judgment required Apple to pay Adam over £5,000 (to cover losses associated with the loss of all previously purchased software, music and all files and photos), he felt he had no choice but to discontinue the claim.
Find out more:Asking the data regulator for help
Next, he took his complaint to the Information Commissioner’s Office (ICO) which told him in August 2024 that there is ‘more work to be done’ by Apple on the matter of compliance of its obligations to the Data Protection law.
Apple was asked to ‘review its framework around individuals’ information rights’ and the ICO said it has engaged with the tech giant regarding this matter, telling Which? that ‘whilst it is important organisations have robust security to protect people’s personal details, they should consider how this can be balanced with victims of identity theft and their ability to recover access to their important information they may have saved digitally.’
However, when we asked for an update on the result of this engagement with Apple in December 2024, it had nothing further to add.
Apple has a series of privacy controls in place, as well as secure methods for account holders to identify themselves, including privacy requests via its secure privacy portal or using its account recovery process. In cases where an individual is unable to take these steps, Apple experts assess whether access can be granted.
Which? approached Apple about this case, but it declined to comment due to a long-standing policy of not commenting publicly on individual customers.
Find out more:How do hackers get in?
Hackers may simply guess our passwords, too – known as ‘dictionary attacks’ – by using programs to test a vast selection of words and phrases, as well as commonly used passwords, one by one. Weak passwords – such as ‘123456’, the names of popular football teams or fictional characters such as Superman – can be cracked in seconds.
If they’ve breached one of your accounts, a hacker will try to compromise others, testing stolen details across multiple platforms. If it’s your primary email address that has been hijacked, they might try clicking the ‘forgotten password’ links to reset your security details.
Find out more:How to protect your accounts
This is the first line of defence for any online account, says Jake Moore, global cybersecurity advisor at software firm ESET.
Jake says: ‘It means anyone who even has access to a user’s password will still require a one-time passcode that only the genuine account owner can receive. One way this occurs is via an SMS message but better still is using an authenticator app, such as Google Authenticator. Authenticator app codes are encrypted and can only be viewed by the owner on their designated device, such as their registered phone. Many people do not even realise WhatsApp offers MFA and calls it two-step verification.’
Leading technology firms, such as Apple, Google and Microsoft, are looking to scrap passwords altogether, by testing out Passkeys that use biometrics, such as Face ID, to authenticate users instead.
In the meantime, you should look after your passwords. Advice differs, but combining three random words, such as ‘checktwistapple’, is considered ‘long enough and strong enough’ by the National Cyber Security Centre (NCSC). What everyone agrees on is that you should never repeat the same – or similar – passwords for multiple accounts. Use a password manager such as Dashlane or LastPass if you struggle to remember them.
Ignas Valancius, head of engineering at NordPass, says: ‘It is crucial to have a unique password for each account. Most modern password managers offer password generators, in addition to secure credential storage and autofill features, which is useful when creating new accounts or updating old ones.’
Find out more:Why software updates matter
Installing the latest versions of your device’s software and apps is another vital layer of protection. These updates fix vulnerabilities to shield you from the latest cyberthreats.
You might be surprised to learn that some brands only support devices with these vital security patches for as little as two years. If you’re using a phone, tablet, computer or any other smart device (such as TVs or speakers) that is no longer being updated, consider upgrading.
A privacy check-up of your social media accounts is also sensible, to see who can view your posts and to remove any phone numbers, email addresses and other data that could be used against you. If you no longer use a social media account, remove any sensitive information, such as linked phone numbers, then delete it. To avoid exposing your primary email account to scammers and spammers, you may wish to set up short-term ‘burner’ emails for websites you don’t trust.
Find out more:Join Which? Money
Sign up to Which? Money – and get a £10 vouchersource https://www.which.co.uk/news/article/my-id-was-stolen-and-apple-refuses-to-give-it-back-andLp1Y8P4xf