Why is Apple telling me to change my password after receiving a password reset email?

security password email apple-id

Solution 1:

I'm not sure this question is actually on-topic here because you're effectively asking why Apple does something? That said, I offer this answer in the event it is kept open, and because I have worked in the IT Security field.

At the outset, I'm assuming that the email you received was a genuine email from Apple and not a phishing attempt.

The reality is that if someone other than you has requested a password reset, then you should assume they are up to no good. And, if that is the case, how many of your other online services are they also trying to access/reset?

Unfortunately, many online users use the same password for many accounts. And this vulnerability is the number one way that hackers (etc) breach accounts. For example, you would have heard of the iCloud leaks of celebrity photos (known as The Fappening) that occurred in August 2014. While at first it appeared that the fault was somehow related to Apple's iCloud services, after an investigation Apple stated:

The leaked images were the result of compromised accounts, using "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet". None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

Source: Apple Media Advisory

This highlights why Apple would want you to change your password. Say you were being targeted by someone, by obtaining your password from one site they know there's a good chance you've used the same password on another. And if someone has deliberately tried to reset your Apple ID password, then from a risk management perspective you have to assume they've also tried accessing some of your other online services.

So, by Apple telling you reset your password on their service, they are trying to help you manage that risk.

Unfortunately, it's often not just the same password people use on their accounts, but the same security questions, the same recovery emails, etc. So, resetting your password is an excellent precautionary measure to take.

Finally, by Apple stating in their email to reset your password without delay, they are exercising their duty of care and this would be very important in the event of a breach and/or subsequent legal action.

Solution 2:

The thinking is that most likely this isn't a prank and that it means somebody is trying to gain access to your account. While I agree it's unlikely somebody will get into your account I can see why Apple recommends this for the masses.

I would assume this happens mostly because of typos (especially if you have a common name) such as using @gmail instead of @hotmail etc. but you can't be too careful these days.

This could also be hackers trying to confirm active accounts.

Assuming you have a strong password and 2 step verification on, you should be ok. It's advised to change your password periodically anyway, so if you haven't done that in the past few months I would.

It's a personal decision but for the masses (who mostly have weak passwords) I would recommend they change their password (just like Apple has).

Related

What prompts breathe reminders on an Apple Watch?
How to disable scrolling while clicking with the Magic Mouse?
How do I uninstall Tuxera NTFS?
How do I install a specific release of a Homebrew formula on GitHub?
What can I ask Siri on macOS?
How to enable arrows in landscape keyboard in iOS 11?
How much does Apple Pay really cost for person to person transactions?
Are all the ports on 2016 MacBook Pro 13" the same speed?
Upgrading to OSX High Sierra breaks Terminal hot key functionality
OSX High Sierra - Files and Folders show as empty/invisible in Finder, but are still there
How to open port 9150 on a Mac so external devices can connect to it?
How to prevent Terminal window from changing its size after opening and closing tab