Apple account hacked: lock it down, recover funds, prevent re-entry

Step 1: immediate lockdown

Within the first 5 minutes:

1. iforgot.apple.com from a desktop browser. Change your Apple ID password. Pick something not derived from any password you have used elsewhere. The attacker may have credentials from a different breach; you do not want to use a related password.

2. Use a password manager to generate. 20+ characters, random. Do not store the new password in the same place the old one might have been compromised from.

3. account.apple.com -> Devices section. Sign every device out that you do not currently have in your hand. The attacker is probably signed in somewhere; signing them out from your side closes their session immediately. Do not worry about signing yourself out of devices you own - you can sign back in afterwards with the new password.

4. If you have 2FA already enabled, the attacker may have intercepted SMS codes. Move to step 2 below.

5. If you do not have 2FA, enable it now: account.apple.com -> Sign-In & Security -> Two-Factor Authentication. The trusted phone number must be one only you control.

Do this all before pursuing refunds. The attacker is potentially still running new charges while you read this; lock them out first.

Step 2: secure 2FA and trusted contacts

Even with 2FA on, you can still be compromised through:

- SIM-swap attacks (attacker transfers your phone number to their device, intercepts SMS codes). - Old trusted phone numbers you no longer use (attacker had the old number assigned to them by the carrier). - Recovery contacts who themselves got compromised.

Harden the auth surface:

1. account.apple.com -> Sign-In & Security -> Trusted Phone Numbers. Remove any number you do not currently control (old work numbers, numbers from a previous country, parents' numbers, ex-partner's numbers).

2. Add a number only you have access to. If you suspect SIM-swap risk, add a phone number from a service like Google Voice or a secondary line - harder to SIM-swap than your primary cellular number.

3. Recovery Contact: Settings -> [your name] -> Sign-In & Security -> Recovery Contact. Pick someone you trust with their own Apple device. They can verify on your behalf in future recoveries.

4. Recovery Key: account.apple.com -> Sign-In & Security -> Recovery Key. Generate one and store it on paper somewhere physically safe. With a Recovery Key, Apple's account recovery process is much faster.

Step 3: report and refund unauthorized charges

Once the account is locked down, attend to the money. The route:

1. reportaproblem.apple.com -> sign in with your (now-recovered) Apple ID.

2. List every charge you do not recognize. For each: - Click "Report a Problem". - Reason: "I did not authorize this purchase". - Free-text: "Account was compromised on [date]. The attacker made this charge. I have changed my password and signed out all unauthorized devices." - Submit.

3. Apple's fraud team has a higher refund approval rate than the standard refund queue. Unauthorized purchases reported within ~30 days of the breach are usually refunded.

4. Refunds typically land back where the money came from. If charged to a card, the refund returns to that card. If charged to Apple Account balance, refund returns to balance.

Do not use bank chargebacks for these charges. Even though they would work mechanically, the chargeback path triggers Apple's adversarial response and often results in the Apple ID being disabled. Once disabled, you lose access to every purchase ever made on the account, every subscription, and balance. Reportaproblem is slower but does not have this side effect.

Step 4: clean up authorized devices and tokens

The attacker may have left behind persistent footholds. Walk through and revoke each:

1. account.apple.com -> Devices. Confirm only your own devices are listed. Remove any unknown ones (the lockdown step in Step 1 covers this; revisit to confirm).

2. account.apple.com -> Sign in with Apple. This shows every third-party app or service you have signed in to using your Apple ID. Review the list; revoke any you do not recognize. Attackers sometimes use Sign in with Apple to maintain access through third-party services even after you change the Apple ID password.

3. account.apple.com -> App-Specific Passwords. Any app-specific password the attacker created stays valid until revoked. Revoke all of them and regenerate new ones for the apps you actually need (older Mail clients, third-party calendar apps that do not support 2FA).

4. Settings -> [your name] -> iCloud -> Manage Storage -> Family. If the attacker added themselves to your family, remove them. Family Sharing connections grant payment-method access to the organizer's card.

5. Subscriptions tab. Verify nothing is subscribed that you did not subscribe to. Attackers sometimes start subscriptions to apps they own to generate revenue.

The Apple Cash scam pattern

A specific variant worth knowing: the "TikTok For Business" Apple Cash scam. The pattern:

1. Attacker poses as TikTok For Business (or similar legitimate-sounding brand) and asks for an Apple Cash payment. 2. Victim sends $X via Apple Cash thinking it is a business transaction. 3. The recipient is actually a scammer who immediately moves the money to a bank or other Apple Cash account, beyond Apple's reversibility. 4. Apple Cash transactions are like cash; recovery is much harder than card-based recovery.

If this happened to you specifically:

1. Report through the Wallet app: open Wallet -> Apple Cash card -> tap the transaction -> Report an Issue. Apple's Apple Cash team is separate from iTunes Store support. 2. Contact Goldman Sachs (the issuing bank for Apple Cash) directly if Apple does not produce a refund within 7 days. They have their own dispute process. 3. File with the FTC and local police. The TikTok For Business scam is a tracked pattern; multi-victim reports get coordinated. 4. Disable Apple Cash temporarily: Wallet -> Apple Cash card -> Card Details (...) -> Pause Apple Cash. Prevents further drains while you investigate.

Apple Cash recovery rate is materially lower than App Store fraud recovery. Document everything; treat it as a possible total loss.

Why standard chat support cannot help

AppleCare front-line chat agents handle device repair, software help, and general account questions. They cannot:

- Lift account disables. - Reverse Apple Cash transactions. - Approve refunds for unauthorized purchases (they refer you to reportaproblem). - Access Apple ID security tooling.

The team that can is iTunes Store support, particularly the fraud and security specialists. To reach them:

1. getsupport.apple.com (not the Apple Support app, which routes to general AppleCare). 2. Choose "Apple Account" -> "Security & Compromised Account". 3. Request a callback. Specify "Senior Advisor" if the case has any complication: prior disable, large dollar amount, recurring fraud, ongoing unauthorized access.

When the agent picks up:

- Lead with: "My Apple ID was compromised on [date]. I have changed the password and signed all devices out. I need to file unauthorized-purchase refunds and confirm the account is no longer at risk." - Have ready: the list of unauthorized charges, the new password (do not give it; just confirm you have changed it), the device list you reviewed. - Ask: "Is there anything else on the account I should clean up? Any open sessions, recovery contacts, app-specific passwords?"

A good Senior Advisor call takes 30-45 minutes and lifts most of the residual risk in one pass.

Related questions