Skip to main content

Security hole reportedly allows anyone to reset your Apple ID password with email address and DOB (Updated 2x)

[youtube=http://www.youtube.com/watch?v=2TaAceHgyFE&start=10]

Update: Apple has taken the iForgot page offline “due to maintenance.” Now that it is safe, this is how it was done.

Update 2: iForgot is back online and the security hole has been fixed.

A “massive security hole” in Apple’s account management page discovered by The Verge allows anyone to reset your Apple ID password using nothing more than your birthday and email address, completely bypassing your security questions. The trick involves a modified URL that seems to fool the site into skipping the security questions and other verification steps, allowing anyone to gain access to your iTunes, App Store, and other Apple accounts within minutes.

If you use Apple’s iForgot page, you are directed to the options below after entering your email and DOB so it would appear that the hack gets around this.

However, according to The Verge, your account is apparently safe from this exploit if you use Apple’s new 2-step authentication (instructions in video above. J/K go here).

Way to go Apple in getting everyone on board with the 2-step!

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications