iPhone users under threat from new ‘reset password’ attack — how to stay safe

An iPhone flooded with password request notifications
(Image credit: Shutterstock)

Hackers have figured out a way to exploit what seems to be a bug in Apple’s password reset feature in a new scam that can lock you out of your iPhone if you’re not careful.

As reported by Krebs on Security, this attack starts with a single Reset Password notification on one the best iPhones and is then followed by dozens of similar prompts. What makes this attack particularly annoying is the fact that targeted users will need to respond with “Don’t Allow” to each individual prompt.

If they don’t, these notifications won’t go away which essentially renders your iPhone useless. Another thing to be worried about is that some victims may accidentally hit the “Allow” button instead of the “Don’t Allow” one. If this happens, the hackers behind this attack would have complete control over your Apple account after resetting the password.

If you own multiple Apple devices, this attack becomes even more annoying as these prompts appear on all of them. For instance, a potential victim named Ken who spoke to Krebs on Security said that these prompts appeared on his Apple Watch and he had to scroll down to be able to hit the “Don’t Allow” button.

Here’s everything you need to know about this new reset password attack along with some steps you can take to stay safe.

From push bombing to phone phishing

In a post on X, entrepreneur Parth Patel detailed his own first-person account of the attack and he also included screenshots. Patel explained that he and other startup founders were being “targeted by the same group/attack” which led him to make the thread in the first place.

This kind of attack is known as “push bombing” or “MFA fatigue” as the cybercriminals behind it are abusing either a feature or weakness in a company’s multi-factor authentication (MFA) system.

As Patel is fully invested in the Apple ecosystem, he started seeing these password reset notifications on his watch, laptop and phone. The worst part is that he couldn’t do anything else on his phone until he manually went and dismissed all of these notifications one after the other.

Another big concern is that some iPhone users may just tap “Allow” just to be able to use their devices. However, doing so would give the hackers behind this attack complete access to your Apple account and they would then be locked out of it.

While Patel thought the attack was over after dismissing dozens of password reset notifications, the hackers behind this campaign had another trick up their sleeves. He got a phone call that said it was from Apple Support that used the number 1-800-275-2273 which is the iPhone maker’s actual customer support line.

As a high-value target though, Patel was super suspicious when he picked up the phone. He then asked the person on the other line to verify some information about him and much to his surprise and after some “aggressive typing” on their end, they were able to do so. The one thing they couldn’t confirm though was Patel’s real name which was a clear giveaway that he was speaking to hackers and not a customer support representative from Apple. 

The attackers most likely got Patel’s information from a people-search website as the name they provided was one that he only had seen on the site PeopleDataLabs. This is why it’s always a good idea to limit how much of your personal information is available online.

How to stay safe from advanced phishing attacks

A fishing hook resting on a laptop keyboard.

(Image credit: wk1003mike/Shutterstock)

While we don’t know yet whether or not this password reset attack was possible due to a bug in Apple’s password reset feature, it very well could be. Tom’s Guide has reached out to Apple and the company did provide some guidance on how iPhone users can protect themselves form this and similar attacks.

For starters, the iPhone maker has a useful support page with everything you need to know about dealing with phishing and other scams.  In this guide, Apple recommends that you report any phishing attempts you discover to the company directly at its reportphishing@apple.com email address. Likewise, in a statement, a company spokesperson also recommended that users who have received a scam phone call like the one detailed above report these occurrences on the FTC's website.

If you do happen to be targeted by this attack, it’s of the utmost importance that you don’t tap “Allow” on any of these password reset notifications. Dismissing them individually is both annoying and time consuming but not doing so will render your iPhone unusable and tapping “Allow” will give the hackers behind this campaign complete control over your Apple account.

If you do receive a phone call from anyone claiming to be from Apple Support, don’t give out any personal information. Instead, you should follow in Patel’s footsteps and have the person on the other hand confirm what information they do have on you first. However, it’s highly unlikely that Apple Support would call you out of the blue and if they did, they would never ask for your password or other personal information over the phone.

We’ll likely find out more on this password reset attack once Apple has implemented a fix but until then, keep your iPhone close and make sure you know exactly what you’re tapping on if you receive a password reset notification.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • Romeg
    Why does every device maker and every app publisher require their own PW 2FA verification app? Why not make one's cell phone SMS or the user's email the universal 2FA method? Anyone connected to the internet has one or both of these. Also, make a NON-response equal to a NEGATIVE response. I do not want to be deluged at 3:00AM with a requirement to respond to such a request wherein failure deprives me of the use of my device or account.