iPhone users, beware of notifications: Your Apple ID password could be stolen! Do not tap on password reset request notifications!
According to a report by KrebsOnSecurity, phishing attacks that seem to stem from a flaw in Apple's password reset feature are becoming more prevalent. Some Apple users have started receiving notifications or multifactor authentication messages asking them to confirm changes to their Apple ID password. Do not tap on these password reset request notifications! Hackers target iPhone users by sending consecutive password reset requests, hoping the user will tap and confirm. Once a user taps the approve option, the attacker gains access to the Apple ID password. These password requests target the Apple ID, appearing across all of the user’s devices and rendering them unusable until confirmed. If unsuccessful through notifications, attackers attempt to access the one-time password by making phone calls.
It's unclear how attackers are exploiting Apple's password reset system to bombard Apple users with notifications and messages, but it's evident there's a bug. The only action an Apple device user targeted by such attacks can take is to ignore all requests and know that Apple does not ask for a password reset through a phone call.
