Well, twice now.

On both occasions I’ve had an email from Apple to say my ID has been reset. Spoke to Apple on both occasions who have confirmed the email is genuine.

I’ve reset all my online passwords inc email etc to very strong 20 character passwords via my phone. I’m fairly certain they’ve not managed to log into my Apple ID as I have two factor verification turned on and at no stage has that been triggered?

My phone number is the only trusted number associated with my Apple ID and I don’t back my phone up to iCloud.

How is someone resetting my password taking the above into account?

I have two factor verification turned on and at no stage has that been triggered?

Due to lax practices within the mobile phone industry Two Factor Identification isn’t as secure as we’d like to think

To reset a password doesn’t someone just need to know what email you’ve used? I have a moderately unusual email address but I occasionally receive emails for someone whose email is clearly one letter different. If somebody had a v similar email to yours, but simply miskeyed it then what you describe could happen. Ie they type in wrong email without realising, get an error so ask for password reset. Or somebody is trying to scam you, in which case sounds like you’ve done the right things…

@maccruiskeen said:

Due to lax practices within the mobile phone industry Two Factor Identification isn’t as secure as we’d like to think

To be fair, two-factor authentication by text message is a really crap way to do it. I generally set up the Google or Microsoft Authenticator app wherever I can for two-factor. They provide rolling six-digit one-time keys (TOTP) that are only valid for 30 seconds.

https://en.wikipedia.org/wiki/Google_Authenticator

someone is resetting it, or attempting to reset it?

They’ve managed to reset it, first I know of it is that I receive (a genuine) email from Apple to notify me my password has been successfully reset. I use the Microsoft Authenticator thingy where I can, two step everywhere else.

How is someone resetting my password taking the above into account?

Spoke to Apple

Did you not ask them?

If its something that’s repeatedly happening (by accident or something more malicious) then maybe the best step with Apple is to change your Apple ID

Did you not ask them?

They couldn’t give me a valid reason, the best that they could suggest was that someone else has access to my phone (which they don’t). Tbh they were pretty useless other than confirming the emails I’ve received were genuine.

If it happens again I’ll have to look at changing my Apple ID email address as suggested by maccruiskeen (thanks).

How is someone resetting my password taking the above into account?

They have a similar email address, they puzzled why they can’t log in with their password despite being right for their email. So they’ve asked for a reset, the email didn’t come through so they asked again.

It’s twice I’d not worry about it.

They’ve managed to reset it, first I know of it is that I receive (a genuine) email from Apple to notify me my password has been successfully reset.

How did you get back into your account, out of interest? Did Apple sort that over the phone, is that why you rang them?

It’s done via the phone that you have registered to your Apple ID > Settings > Apple ID > Password & Security > Change password > Enter iPhone passcode > Enter new password > Confirm new password

You don’t need your current password if you are using your registered phone, whether it uses your phone number or some other method to identify you I’m not sure?

I called Apple to confirm if the email was a fake or not, initially I presumed the first email was a very good fake. It was only when I was messing about with my Sonos system when and I needed to authorise access to my Apple Music and was repeatedly told my Apple ID password was wrong before I realised the email must have been genuine.

It was also confirmed over the phone by Apple that no purchases or subscriptions had been made via my account.

do you have any old phones still registered?

Only within the household and they’re factory reset before they are passed down to the kids.