My Apple iCloud Nightmare

Posted in Fly&Dine Essays

While the majority of posts on Fly&Dine are about either flying, dining, or both at the same time, this story veers into a very different direction. If you’re not into tech stories of mystery and intrigue that detail my iCloud nightmare, perhaps you’d prefer to browse here instead?

Two weeks ago, I got an email from Apple. The subject line was:

“Jason Kessler’s iPad” has been removed as a trusted device.”

How ironic, then, that I was using my iPad at that exact moment. I hadn’t removed it as a trusted device. In fact, I was fairly dependent on the fact that it was a trusted device, because that made it the key to my two-factor verification within Apple’s security system. I tried to log in to my account, but without the four-digit codes that would have been sent to my iPad, I couldn’t access the account. I kept on sending new codes, hopeful that the email was in error and the codes would be showing up on my iPad any second now. If the code came through, I could access the account. Otherwise, I’d need my Recovery Key (a 16-digit code that Apple gives you once when requested and tells you to NEVER LOSE IT EVER OR YOU’LL DIE A HORRIBLE DIGITAL DEATH) and I was too lazy to go digging for it (at that moment), so my best option was to call Apple and see what this was all about.

Before I continue, I think it’s a good idea to explain what Two-Factor Verification is to anyone who’s not familiar with stringent online security. Basically, instead of a standard password-protected account, Apple gives you the option to require two forms of authentication before anyone can access your iCloud account. You need any two of these three pieces of information: your password, your Recovery Key, or four-digit codes sent to a verified device. Got your password? Great. Enter your Recovery Key or have a code sent to a device. Got a trusted device and your Recovery Key but forgot your password? No problem at all. Lose your password and your trusted device(s), though, and you, my friend cannot access your account at all — even if you’ve got the Recovery Key.

Okay. Back to the story. I had my password, I had my Recovery Key (somewhere), and I called Apple. The support agent I was dealing with immediately recognized that they were unable to help and passed to an “Apple Senior Advisor: iOS.” In my case, that meant Kenny.

“If I hadn’t removed the iPad, then someone did.”

Let’s just say that Kenny isn’t going to win any awards for enthusiasm. He listened to my plight and told me that he had no idea why I got that email. If I hadn’t removed the iPad, then someone did. That’s obviously very alarming. I don’t share my passwords with anyone. In fact, they’re based on a piece of information that is completely unrelated to me. The only thing we could think of was that someone had access to my old iPhone, the one that I sold before getting my new one, and they were trying to gain access to my iCloud account.

Kenny told me we needed to change my password to make my account safe again and there was nothing he could do unless I had my Recovery Key. No problem, I told him. If that’s what it would take, I’ll happily go digging for it. Two minutes later, I returned to the call with the key in hand. My password worked, I had my Recovery Key, and it looked like I was back on the road to total security. All I needed to do was change the settings on my approved devices and I’d be good to go. Except for one problem.

In sending codes to my device earlier, I triggered Apple’s internal security measures and it wouldn’t let me send new codes to verify my new devices. I was in the middle of a Cupertino Catch-22. I needed to verify my current devices as mine, but I couldn’t verify them without the codes. Kenny wasn’t worried. As long as we changed my password, the account would be secure and I could go back in later and verify my devices after the eight-hour security lockout ended. On Kenny’s insistence, I changed my password to a much stronger pass-phrase (instead of a simple password) and this is where Kafka joined the party.

“I was now on the outside looking in…”

While still on the phone with Kenny, I logged out of my iCloud account and attempted to log back in. With my Recovery Key and new password, this should be no problem. Except the system didn’t recognize my new password. I tried again and again and it wouldn’t let me in. All of a sudden, I lost the second piece of information that guaranteed access to my account. I was now on the outside looking in and none-too-happy with Kenny.

He didn’t know why I couldn’t get in to the account now. He had no answers at all. In fact, he kept insisting that I was typing it wrong. Sorry, pal. I just entered it three minutes ago. I don’t think I would forget it so quickly. His advice was to wait for the eight-hour lockout to end and we could try again. Great thinking, Kenneth.

Over the next 24 hours, while waiting to call back in, I received messages that my iCloud password was wrong roughly six billion times on my iPhone, iPad, and MacBook Air. You don’t realize what an Apple ecosystem sucker you really are until you discover that you’re constantly reminded on multiple devices that you’re currently dealing with a major cyber security issue. I just ignored it and hoped this was all a simple misunderstanding of the digital variety.

“I was in iCloud Hell and the Digital Devil had stolen my password and made it disappear forever.”

I spoke to Kenny again, but now that my password didn’t work, he claimed there was nothing he could do to help me. Apparently, turning on two-factor identification means that even those whose job it is to help you are powerless to help. I was in iCloud Hell and the Digital Devil had stolen my password and made it disappear forever.

Over the next week, as the iCloud password prompts continued to pop-up on my iDevices every four seconds or so (okay, maybe it was longer, but it felt like every four seconds), I waited. “The Engineers” (whoever they are) were looking at my account and trying to find a way in. They seemed to be taking their sweet time.

As the reality of not having access to my account settled in, so did all of the things I would lose with it. My entire downloaded music collection would be gone, as would every movie I bought through iTunes — including the full Harry Potter box set that I scored for $10. My Pages documents, my iMessages, my photo stream… all gone. Essentially, I was witnessing going through a digital lobotomy and I was awake during the surgery. I could feel all those years of cultural memories slipping away: the songs I loved in college, the photos of delicious meals I never transferred over to my iPhoto, The Goonies. All gone if I couldn’t get into my account. The reality of living in the cloud is that once you lose the keys to your digital apartment, the building essentially disappears forever.

“I was grieving the loss of my digital life.”

Not being able to continue my digital life as normal was having a serious psychological toll on me in real life. I didn’t sleep as well as normal. I was slightly depressed. I had a general “screw it” attitude that made everything seem like a hassle. In general, I was grieving the loss of my digital life. Then I had an idea.

My pass-phrase is complicated. Special characters, numbers, capital letters — it’s all in there. One of the special characters happens to be a space. Several spaces, in fact. What if I tried the password again, but this time without spaces? If the system didn’t recognize the spaces as special characters when I put it in, it wouldn’t recognize them when I tried to re-enter the password. So I went back to my account and gave it a shot.

It worked.

After a week and a half of being locked out of my iCloud account, I was back in. Immediately, I changed my trusted devices. Then I called Kenny and explained what happened. “Yeah,” he said without any affect whatsoever. “We don’t count spaces as special characters.” Thanks, Ken. That would have been really useful information last week.

My iCloud nightmare was finally over — no thanks to Kenny and “the engineers” at Apple. I’ve enjoyed full access to my account ever since. I never did find out how my iPad was removed as a trusted device, but hopefully it was just a simple glitch and not an army of Estonian hackers trying to pilfer my Harry Potter collection.

So, the technical takeaway is this: if you change your password and it immediately doesn’t work, check to see if spaces are allowed as special characters.

The personal takeaway is this: we’ve allowed so much of our lives to exist in a reality that doesn’t take up physical space. Our real-life personal and emotional well-being relies on the digital spaces in our lives functioning properly. Do what you can to protect your accounts because if you lose access to them, you’ll feel just as devastated as if a five-alarm fire destroyed your duplex.

Now pardon me for a moment. I’m going to change my iCloud password again. You should, too. Be safe out there.



Leave a Reply

Your email address will not be published. Required fields are marked *