iPhone Users Are Under Threat of New "Password Reset" Attacks - How to Stay Safe

iPhone Users Are Under Threat of New "Password Reset" Attacks - How to Stay Safe

Hackers have figured out how to exploit what appears to be a bug in Apple's password reset feature

As reported by Krebs on Security, the attack begins with a single password reset notification on the best iPhone, followed by dozens of similar prompts What makes this attack particularly troubling is the fact that the targeted user must respond to each individual prompt with "do not allow"

If you do not, these notifications will not go away, effectively rendering your iPhone unusable Another thing to worry about is that the victim may accidentally press the "Allow" button instead of the "Do Not Allow" button In this case, the hacker behind this attack could take complete control of your Apple account after resetting your password

If you own multiple Apple devices, this attack becomes even more tricky because these prompts appear on all of them For example, a potential victim named Ken, interviewed by Krebs on Security, stated that such a prompt appeared on his Apple Watch and he had to scroll down to hit the "do not allow" button

Below is everything you need to know about this new reset password attack and some steps you can take to stay safe

Entrepreneur Perth Patel detailed his own experience with this attack in a post to X and included screenshots Patel explained that he and other startup founders have been "targeted by the same group/attack," which is what prompted the thread in the first place

This type of attack is known as "push-bombing" or "MFA fatigue," and the cybercriminals behind it exploit either a feature or a weakness in a company's multi-factor authentication (MFA) system

Patel is so fully invested in the Apple ecosystem that it has begun seeing these password reset notifications on watches, laptops, and phones Worst of all, he could not do anything else with his phone until he manually unlocked all these notifications one after the other

Another major concern is that some iPhone users will tap "Allow" just to be able to use their device But doing so would give the hackers behind this attack full access to their Apple accounts, and they would be locked out of them

While Patel thought the attack was over after he had unlocked dozens of password reset notifications, the hacker behind this campaign had another trick up his sleeve He received a call claiming to be from Apple Support using the number 1-800-275-2273, the iPhone maker's actual customer support line

But as a high-value target, Patel was super suspicious when he picked up the phone He then asked the caller on the other end to verify some information about him, which, to his surprise, he was able to do after "positive input" from the other end What could not be confirmed, however, was Patel's real name, which clearly indicated that he was talking to a hacker and not an Apple customer support representative

The attacker likely obtained Patel's information from a people search site, as the name provided was one he had only seen on a site called PeopleDataLabs For this reason, it is always a good idea to limit the extent to which personal information is available online

Whether this password reset attack was made possible by a bug in Apple's password reset feature remains to be seen, but it is quite possible; Tom's Guide has contacted Apple, and the company has provided iPhone users with some guidance on protecting themselves from this and similar attacks Tom's Guide contacted Apple, and the company provided some guidance on how iPhone users can protect themselves from this and similar attacks

For starters, the iPhone maker has a handy support page with all the information you need to know to deal with phishing and other scams In this guide, Apple recommends reporting any phishing attempts directly to the company at its reportphishing@applecom email address Similarly, in a statement, a company spokesperson advised users who receive scam phone calls such as those described above to report these events on the FTC's website

In the unlikely event that you are targeted by this attack, it is most important that you do not tap "Allow" on the password reset notification While it is annoying and time-consuming to reset them individually, if you don't, you will not be able to use your iPhone, and tapping "Allow" will give the hackers behind this campaign complete control over your Apple account

If you receive a call from someone claiming to be from Apple Support, do not give them any personal information Follow Patel's lead and let the person verify your information first However, it is highly unlikely that Apple Support will call you out of the blue, and if they do, they will not ask you for your password or other personal information over the phone

We'll know more about this password reset attack once Apple implements a fix, but until then, keep your iPhone nearby and know exactly what you're tapping into when you receive the password reset notification

Categories