Last night a few users began reporting that their Apple IDs had been compromised, causing them to be locked out of their accounts. Recovering and password resets worked for a handful of Apple IDs, but it was still unclear overnight what might have been happening to cause the small breach in Apple's otherwise secure universal log-in system.

This morning speculation came to a close as third-party email client Spark confirmed that an upgrade to faster servers for iCloud users on the platform triggered the issue and forced password resets in a collection of Apple IDs. The company mentioned that it has been preparing to launch Spark for Mac, which was the reason for the faster server upgrade, but now promises that "there's NO breach or data leak" that users have to worry about.

spark mail picture
Readdle, the creators of Spark, reiterated what it tweeted out throughout the morning in a post on Reddit.

Hello guys,

Thank you for the feedback and comments! Our team has been investigating this for a few hours. What we know so far: 1. There's no breach or data leak according to our investigation. 2. The new, faster AWS server logic might have triggered iCloud security algos. We are already working with Apple to learn more details. We are doing some server side work to make Spark much faster, and to make it ready for the Mac version, which is already in Alpha. We will keep you updated once we have more news from Apple side.

Thank you.

As some users have noted, the security problem didn't hit all Spark users who use the service with their iCloud account. The company said that it's working with Apple to get the issue fixed as soon as possible, but it seems that users affected by the security lockouts need not worry about malicious attempts at entry into their private Apple ID at least. If Readdle posts any more updates on its fix for the problem, we'll update this story as well.

Tag: Spark

Top Rated Comments

Max Portakabin Avatar
66 months ago
Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.
Score: 5 Votes (Like | Disagree)
dogslobber Avatar
66 months ago
I personally didn't think they stored them. I thought they just used my phone-stored password. Now that I know for a fact they store it off site, I'm much more upset.
"Accounts are added to Spark through OAuth where possible. Where OAuth is not supported we keep your account username and password on our secure servers. We then use the authorization provided to download your emails to our virtual servers and push to your device.
[...]
The safety and security of your information also depends on you. You should not share your email user name and password with anyone. If you find out that anyone has improperly obtained your login credentials and accesses your email account through Spark, you should immediately change your password. We are not responsible for such unauthorized access unless the access is our fault."


https://sparkmailapp.com/privacy

LOL. What a con. Apple should punt this app from the App Store.
Score: 3 Votes (Like | Disagree)
Rigby Avatar
66 months ago
It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, since they still have to store your password on their servers in case the email provider doesn't offer secure authentication via oauth tokens (which iCloud doesn't). This affects not only Spark, but also the Outlook mail app. This time it was apparently harmless, next time it could be a serious breach. And two-factor doesn't really help in case of iCloud, since you have to use an application password which is not protected ...
Score: 3 Votes (Like | Disagree)
Peepo Avatar
66 months ago
I thought Spark was better vs. Outlook in regards to not being in the middle storing passwords etc. Now that I hear this, I have removed it. I have had my account locked out twice this week.

With 2 factor authentication on iCloud, there should be no way Spark could permanently hack your iCloud account since you have to generate a one time password for it. But I still don't like that it locks accounts. Maybe after everything is fixed I'll give it another try.
Score: 3 Votes (Like | Disagree)
thebroz Avatar
66 months ago
Twice I was locked out in the past couple days. It might be time to ditch Spark. It's a major nuisance to change my Apple ID password because it affects a number of devices.
Score: 3 Votes (Like | Disagree)
coolfactor Avatar
66 months ago
It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, ...
Exactly. It raises so many questions.

* Since they are impersonating you, they need to keep your password stored, not a one-way hash of it. How securely are they storing it? Who has access to it at the company?
* How secure is the email storage on their servers? Do they have one giant database serving all users, and filter by ID, or separate, segregated databases for each user?
* Can technical problems at their end cause emails to be deleted unintentionally?

Email is far too important to me to introduce layers of complexity and uncertainty like that.

(@Runbox rocks for email, by the way.)
Score: 3 Votes (Like | Disagree)

Top Stories

REC ASA CODE2016 20160601 205816 2745

Elon Musk Reportedly Demanded to Become Apple CEO as Part of Potential Tesla Acquisition [Update: Musk Denies]

Friday July 30, 2021 9:04 am PDT by
Tesla CEO Elon Musk reportedly once demanded that he be made Apple CEO in a brief discussion of a potential acquisition with Apple's current CEO, Tim Cook. The claim comes in a new book titled "Power Play: Tesla, Elon Musk and the Bet of the Century," as reviewed by The Los Angeles Times. According to the book, during a 2016 phone call between Musk and Cook that touched on the possibility of ...
General Apps Messages

Android iMessage Competitor Puts Pressure on Apple

Friday July 30, 2021 3:15 am PDT by
Google and the three major U.S. carriers, including Verizon, AT&T, and T-Mobile, will all support a new communications protocol on Android smartphones starting in 2022, a move that puts pressure on Apple to adopt a new cross-platform messaging standard and may present a challenge to iMessage. Verizon recently announced that it is planning to adopt Messages by Google as its default messaging...
a15 chip

iPhone 13 and Redesigned MacBook Pro Chip Production Hit With Gas Contamination

Friday July 30, 2021 5:44 am PDT by
The most important TSMC factory that manufactures Apple's chips destined for next-generation iPhone and Mac models has been hit by a gas contamination, according to Nikkei Asia. The factory, known as "Fab 18," is TSMC's most advanced chipmaking facility. TSMC is Apple's sole chip supplier, making all of the processors used in every Apple device with a custom silicon chip. Industry...
Apple watch series 5 new case material made of titanium 091019

Titanium Apple Watch Series 6 Models Currently Widely Unavailable

Sunday August 1, 2021 6:21 am PDT by
Models of the Apple Watch Series 6 with titanium cases part of the "Apple Watch Edition" collection is currently widely unavailable for pick-up in several of Apple's retail stores in the United States and is unavailable entirely for delivery in major markets. Noted by Bloomberg's Mark Gurman in the latest edition of his "Power On" newsletter, titanium models of the Apple Watch Series 6,...
iPhone 13 Always On Feature

iPhone 13 to Bring Over a Major Feature From the Apple Watch

Wednesday July 28, 2021 2:21 am PDT by
Apple's upcoming iPhone 13 lineup will feature an always-on display akin to the Apple Watch Series 5 and Series 6, according to recent reports. In his weekly Power On newsletter, Bloomberg journalist Mark Gurman, who often reveals accurate insights into Apple's plans, said that the iPhone 13 may feature an Apple Watch-inspired always-on mode. The Apple Watch Series 5 and Apple Watch...
apple rtp land

Apple Preparing to Occupy 200,000 Square Feet of Temporary Space Ahead of New $1 Billion North Carolina Campus

Thursday July 29, 2021 9:14 am PDT by
Back in April, Apple announced a $430 billion investment over the next five years to create more than 20,000 new jobs as the company continues to expand. One significant piece of that plan is a new engineering and research center in North Carolina where Apple will be investing over $1 billion and hiring at least 3,000 employees. Assemblage of seven properties in Research Triangle Park owned by ...
telegram

Bumper Telegram Update Enables Video Calls With Up to 1,000 Viewers

Saturday July 31, 2021 12:13 am PDT by
Telegram Messenger has received a major update to its video capabilities, including support for video calls with up to 1,000 viewers. Group video calls in Telegram allow up to 30 users to stream video from both their camera and their screen, and now a maximum of 1,000 people can tune into the broadcast. Telegram says it intends to continue increasing this limit "until all humans on Earth...
app store blue banner

Elon Musk: Apple's App Store Fees Are a 'De Facto Global Tax on the Internet'

Friday July 30, 2021 10:04 am PDT by
Tesla CEO Elon Musk took to Twitter today to criticize Apple's App Store fees in a tweet that sides with Epic in the ongoing Epic v. Apple dispute. "Epic is right," wrote Musk, before going on to call Apple's App Store fees a "de facto global tax on the Internet." Musk earlier this week made veiled comments about App Store fees, but today's statement is a much more direct criticism....
FaceID iMac REREREREMIX

Top Stories: Face ID on Future Macs, Elon Musk Criticizes Apple, and More

Saturday July 31, 2021 6:00 am PDT by
This week saw an interesting range of Apple news and rumors, including a blockbuster earnings report, rumors about next year's "iPhone 14" and Face ID coming to Macs, and more. Subscribe to the MacRumors YouTube channel for more videos. Other popular topics included Apple's crackdown on leaks, changes in the latest round of betas for iOS 15, iPadOS 15, and macOS Monterey, and several stories...
duracell battery bitter coating

Apple Says Don't Buy AirTag Replacement Batteries With Bitter Coating

Wednesday July 28, 2021 11:08 am PDT by
Since AirTags were just released earlier this year and are expected to have a year-long battery life, it may be some time yet before AirTag users need a replacement battery, but when the time comes for a refresh, Apple is warning customers not to buy batteries with a bitter coating. AirTags use coin-shaped CR2032 batteries, which happen to be a size that's easy to swallow. Some battery...