Your phone buzzes. It says, “Your Apple ID is being used to sign in [via some method] near [place that’s nowhere near you].”
What do you do?
Quick! Unlock your phone, tap Don’t Allow (or click it on a Mac), and immediately change your Apple ID password on whatever device is closest or via the Apple ID website.
Apple’s two-factor authentication (2FA) system for Apple ID accounts deters account hacking by requiring someone both grab your username and password and has access to your phone number or a trusted physical device. This alert about a login is an extra check. After correctly entering your user name and password from a new device, a new web browser, a somewhat different geographic location, or even on a previously authenticated device for reasons Apple doesn’t disclose, all your associated Apple hardware pops up with the message above, or, if already unlocked or on a Mac, “Apple ID Sign In Requested” with additional information and a small map preview.
If you haven’t changed your Apple ID’s password in a while and you’ve ever re-used the password with another site, this could be either the result of an old password breach elsewhere or one that just occurred. (You can use the free Have I Been Pwned? to get automatic notifications if your email address is found in a fresh account breach. 1Password has built in a direct connection to the service, too: your “pwned”—hacker for “taken over”—account appears in the Watchtower list under Compromised Website if have the feature enabled.)
Crackers who want to break into accounts use these password breaches to try account credentials at other sites. An errant 2FA notification might mean they succeeded—but didn’t get past the second factor requirement of you having to approve the login. This is why, in an abundance of caution, you should change your associated Apple ID password immediately.
You might sometimes see an odd location appear when you try to log in. That can occur because you’re using a VPN that has the other “end” of its encrypted tunnel pop out far from you. It can also happen if the system Apple relies on to identify the login location is inaccurate. Apple appears to rely on internet protocol records for geolocation. While usually on target within a decent radius of your city or region, these IP guesses can sometimes be way off.
In those cases, at least, you know that you initiated the login. It didn’t come out of the blue. Any unknown login attempt should be rejected.
This Mac 911 article is in response to a question submitted by Macworld reader K.P.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.