Spark Says 'No Breach or Data Leak' After Users Get Locked Out of Apple IDs

Last night a few users began reporting that their Apple IDs had been compromised, causing them to be locked out of their accounts. Recovering and password resets worked for a handful of Apple IDs, but it was still unclear overnight what might have been happening to cause the small breach in Apple's otherwise secure universal log-in system.

This morning speculation came to a close as third-party email client Spark confirmed that an upgrade to faster servers for iCloud users on the platform triggered the issue and forced password resets in a collection of Apple IDs. The company mentioned that it has been preparing to launch Spark for Mac, which was the reason for the faster server upgrade, but now promises that "there's NO breach or data leak" that users have to worry about.

spark mail picture
Readdle, the creators of Spark, reiterated what it tweeted out throughout the morning in a post on Reddit.
Hello guys,

Thank you for the feedback and comments! Our team has been investigating this for a few hours. What we know so far: 1. There's no breach or data leak according to our investigation. 2. The new, faster AWS server logic might have triggered iCloud security algos. We are already working with Apple to learn more details. We are doing some server side work to make Spark much faster, and to make it ready for the Mac version, which is already in Alpha. We will keep you updated once we have more news from Apple side.

Thank you.
As some users have noted, the security problem didn't hit all Spark users who use the service with their iCloud account. The company said that it's working with Apple to get the issue fixed as soon as possible, but it seems that users affected by the security lockouts need not worry about malicious attempts at entry into their private Apple ID at least. If Readdle posts any more updates on its fix for the problem, we'll update this story as well.

Tag: Spark


Top Rated Comments

(View all)
Avatar
41 months ago
Breach or not, they could have at least apologised considering the inconvenience created in changing out your Apple ID password.
Rating: 5 Votes
Avatar
41 months ago

It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, ...


Exactly. It raises so many questions.

* Since they are impersonating you, they need to keep your password stored, not a one-way hash of it. How securely are they storing it? Who has access to it at the company?
* How secure is the email storage on their servers? Do they have one giant database serving all users, and filter by ID, or separate, segregated databases for each user?
* Can technical problems at their end cause emails to be deleted unintentionally?

Email is far too important to me to introduce layers of complexity and uncertainty like that.

(@Runbox rocks for email, by the way.)
Rating: 3 Votes
Avatar
41 months ago
I thought Spark was better vs. Outlook in regards to not being in the middle storing passwords etc. Now that I hear this, I have removed it. I have had my account locked out twice this week.

With 2 factor authentication on iCloud, there should be no way Spark could permanently hack your iCloud account since you have to generate a one time password for it. But I still don't like that it locks accounts. Maybe after everything is fixed I'll give it another try.
Rating: 3 Votes
Avatar
41 months ago
Twice I was locked out in the past couple days. It might be time to ditch Spark. It's a major nuisance to change my Apple ID password because it affects a number of devices.
Rating: 3 Votes
Avatar
41 months ago
It seems to me that, from the security perspective, it's just a bad idea to use an email service that inserts itself between you and the actual email provider, since they still have to store your password on their servers in case the email provider doesn't offer secure authentication via oauth tokens (which iCloud doesn't). This affects not only Spark, but also the Outlook mail app. This time it was apparently harmless, next time it could be a serious breach. And two-factor doesn't really help in case of iCloud, since you have to use an application password which is not protected ...
Rating: 3 Votes
Avatar
40 months ago

I personally didn't think they stored them. I thought they just used my phone-stored password. Now that I know for a fact they store it off site, I'm much more upset.


"Accounts are added to Spark through OAuth where possible. Where OAuth is not supported we keep your account username and password on our secure servers. We then use the authorization provided to download your emails to our virtual servers and push to your device.
[...]
The safety and security of your information also depends on you. You should not share your email user name and password with anyone. If you find out that anyone has improperly obtained your login credentials and accesses your email account through Spark, you should immediately change your password. We are not responsible for such unauthorized access unless the access is our fault."


https://sparkmailapp.com/privacy

LOL. What a con. Apple should punt this app from the App Store.
Rating: 3 Votes
Avatar
41 months ago
I'm confused. Does Spark impersonate the user and download messages on their behalf? So Spark's servers are storing Apple ID credentials? I don't see how a Spark server upgrade would interfere with Apple ID authentication unless they were "sitting in the middle" somehow, and there's no way that I would use such an app, if that were the case. I'll need to read up on the Spark Mail app a bit more.
Rating: 2 Votes
Avatar
41 months ago
Happened to me as well. Password reset worked fine. Hope they keep our data safe...
Rating: 2 Votes
Avatar
41 months ago
That explains why my Apple ID was locked. But now I have security concerns about Spark...
Rating: 2 Votes
Avatar
40 months ago

No, not really. All I hear is a company that stores email login credentials that suddenly cause people to be locked out of those email accounts claiming it wasn't a hack. Of course I believe them!

Because just as easily, or more likely even much easier, it couldn't be a glitch with something somewhere?
Rating: 2 Votes
[ Read All Comments ]