'Hackers stole my account and Apple won't give it back'
A phishing email opened the door to hackers, resulting in the permanent loss of the Apple ID that Adam had owned for over 16 years, including three terabytes of personal data.
Three years later, Adam is no closer to recovering his account.
Hackers can act fast and be extensive with their damage. Once in, they’ll scan for personal data to commit identity theft by opening credit accounts in your name and dumping you with the bill. They could intercept genuine messages with, say, solicitors or builders, sending fake invoices to trick you into making payments to their account.
They’ll also have access to your contacts, so your friends and family could be targeted with requests for money that they think come from you. If a hacker has managed to switch the recovery security details to their email address or phone number, you could be booted out of your accounts.
Our investigation, first published in Which? Money, looks at the destruction that can be caused by hackers and what you can do to protect yourself.
Sign up for scam alerts
Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.
Sign up for scam alerts
'There’s a lifelong risk hanging over me'
Adam (not his real name), an airline pilot from Cheshire, fell victim to a clever phishing email in 2022.
The email was seemingly from the Apple Store and referred to a subscription from a cryptocurrency tracker that he didn't recognise.
Adam clicked the link, which triggered a two-factor authentication (2FA) security code – the police later confirmed that this was via an IP address linked to Hong Kong – which he duly entered on the website, assuming it would grant access to his Apple subscriptions. When this failed, he realised something wasn’t right.
‘In a matter of minutes, the fraudsters had signed me out of all devices, erased my phone via the "Find My" app, downloaded my data onto their devices and changed the trusted number on my account.'
The hackers now had full access to three terabytes of data via iCloud storage, including family photos and scanned bank statements, birth certificates and passports. Yet more disturbing, Adam believes criminals also had access to his children’s linked Apple accounts, which potentially meant they could track their activity and location.
In the weeks and months after the attack, Adam spoke to Apple Support many times and visited a physical Apple Store three times, but he can’t recover his account because he doesn’t know the ‘trusted’ phone number used by the criminals.
‘Concerned about identity theft, I registered with Cifas, added fraud alerts and title restrictions on our home, thanks to advice from Which?. At night when I go to bed it’s often at the back of my mind. There’s a lifelong risk hanging over me.’
- Find out more: identity theft explained
Taking on a Titan
Apple told Adam that it needs to follow strict security guidelines when assessing the right to access an account. It has refused to budge despite there appearing to be reams of evidence, including a police report, that he was a victim of a sophisticated attack.
Resorting to the legal route, he pursued a small claims court case, obtaining a default judgment in his favour. However, Apple drew out the big guns and hired a barrister to 'tear apart' his claim, apparently on the basis that it had not been properly served with court documents or given sufficient time to respond.
Although this judgment required Apple to pay Adam over £5,000 (to cover losses associated with the loss of all previously purchased software, music and all files and photos), he felt he had no choice but to discontinue the claim.
‘They have left me in the same abandoned state as I was pre-hack with no effort or human spirit to help me as their customer of over 30 years. This has truly been a case of a consumer up against a conglomerate, who have been unwilling to assist after a confirmed crime has occurred.’
- Find out more: how to use the small claims court
Asking the data regulator for help
Next, he took his complaint to the Information Commissioner’s Office (ICO) which told him in August 2024 that there is ‘more work to be done’ by Apple on the matter of compliance of its obligations to the Data Protection law.
Apple was asked to ‘review its framework around individuals’ information rights’ and the ICO said it has engaged with the tech giant regarding this matter, telling Which? that ‘whilst it is important organisations have robust security to protect people’s personal details, they should consider how this can be balanced with victims of identity theft and their ability to recover access to their important information they may have saved digitally.’
However, when we asked for an update on the result of this engagement with Apple in December 2024, it had nothing further to add.
Apple has a series of privacy controls in place, as well as secure methods for account holders to identify themselves, including privacy requests via its secure privacy portal or using its account recovery process. In cases where an individual is unable to take these steps, Apple experts assess whether access can be granted.
Which? approached Apple about this case, but it declined to comment due to a long-standing policy of not commenting publicly on individual customers.
- Find out more: your data protection rights
How do hackers get in?
We’re all vulnerable to data breaches and phishing emails designed to steal login details.
Hackers may simply guess our passwords, too – known as ‘dictionary attacks’ – by using programs to test a vast selection of words and phrases, as well as commonly used passwords, one by one. Weak passwords – such as ‘123456’, the names of popular football teams or fictional characters such as Superman – can be cracked in seconds.
If they’ve breached one of your accounts, a hacker will try to compromise others, testing stolen details across multiple platforms. If it’s your primary email address that has been hijacked, they might try clicking the ‘forgotten password’ links to reset your security details.
- Find out more: how safe is online banking?
4 warning signs you've been hacked
- You get a ‘login attempt’ or ‘password reset’ email Take action quickly to secure the account, but log in ‘the long way’ rather than clicking any links provided, as some messages are fake.
- Your friends receive weird emails you didn’t send Reset your email password and boot out any unfamiliar devices. Warn your contacts they may have been targeted and run a complete antivirus scan.
- Your password isn’t working Follow the account recovery process, found on the relevant provider’s support pages. If it’s a financial account, contact customer services to warn them your account is compromised.
- Your device slows down A slower computer can be a red flag, so check for viruses, and remove any apps or browser add-ons and extensions you don’t recognise.
How to protect your accounts
If you haven’t done so already, set up two or multi-factor authentication (MFA) wherever possible – you can find a list of companies and services that offer it at 2fa.directory/gb.
This is the first line of defence for any online account, says Jake Moore, global cybersecurity advisor at software firm ESET.
Jake says: ‘It means anyone who even has access to a user’s password will still require a one-time passcode that only the genuine account owner can receive. One way this occurs is via an SMS message but better still is using an authenticator app, such as Google Authenticator. Authenticator app codes are encrypted and can only be viewed by the owner on their designated device, such as their registered phone. Many people do not even realise WhatsApp offers MFA and calls it two-step verification.’
Leading technology firms, such as Apple, Google and Microsoft, are looking to scrap passwords altogether, by testing out Passkeys that use biometrics, such as Face ID, to authenticate users instead.
In the meantime, you should look after your passwords. Advice differs, but combining three random words, such as ‘checktwistapple’, is considered ‘long enough and strong enough’ by the National Cyber Security Centre (NCSC). What everyone agrees on is that you should never repeat the same – or similar – passwords for multiple accounts. Use a password manager such as Dashlane or LastPass if you struggle to remember them.
Ignas Valancius, head of engineering at NordPass, says: ‘It is crucial to have a unique password for each account. Most modern password managers offer password generators, in addition to secure credential storage and autofill features, which is useful when creating new accounts or updating old ones.’
- Find out more: how to create secure passwords
Why software updates matter
Installing the latest versions of your device’s software and apps is another vital layer of protection. These updates fix vulnerabilities to shield you from the latest cyberthreats.
Avoid using devices that no longer receive updates, because criminals will try to abuse known weaknesses. Windows 10 will run out in October 2025, for example, at which point Microsoft will no longer provide security updates or technical support.
You might be surprised to learn that some brands only support devices with these vital security patches for as little as two years. If you’re using a phone, tablet, computer or any other smart device (such as TVs or speakers) that is no longer being updated, consider upgrading.
A privacy check-up of your social media accounts is also sensible, to see who can view your posts and to remove any phone numbers, email addresses and other data that could be used against you. If you no longer use a social media account, remove any sensitive information, such as linked phone numbers, then delete it. To avoid exposing your primary email account to scammers and spammers, you may wish to set up short-term ‘burner’ emails for websites you don’t trust.
- Find out more: see how long popular tech brands support their products
Join Which? Money
This investigation originally appeared in Which? Money magazine.
Sign up to Which? Money – and get a £10 voucher
Find the best deals, avoid scams and grow your money with our expert advice. £4.99 a month or £49 a year, cancel any time. You'll get a £10 Amazon.co.uk voucher when you sign up for an annual membership before 16 Feb 2025.
