Why did I unexpectedly get a notification on my iPhone that says "Use this iPhone to reset your Apple ID password."?

A notification about resetting my Apple ID password appeared randomly on my iPhone:

Reset password notification

I'm alarmed that this means somebody is attempting to break into my Apple account.

If I follow the notification, it just gives me an option to "Don't Allow" or "Allow":

Reset password allow or dont allow

I didn't select either option, and instead reset my phone - which made the notification go away.

To be safe, I updated my Apple ID password (on appleid.apple.com).

What prompted this notification, and do I need to be concerned about the security of my Apple ID?


What happened?

This is actually a widespread issue that was reported by others on macrumors' forums yesterday. Likely we'll see this happen to more and more iPhone users.

This Twitter Thread explains that there is a security flaw in Apple's password reset process which gives explicit confirmation once a correct phone number is inputted for a given Apple ID.

It shows a failure for an incorrect number:

enter image description here

And triggers a notification to your devices for a correct number:

enter image description here

This notification is what caused your iPhone to prompt you to reset your Apple ID password.

What does this mean?

  • Your Apple ID was not broken into.
    • It's good practice to update your passwords periodically anyway.
  • An attacker now knows your Apple ID and corresponding phone number.
    • I'm not certain what they'll do with this information, but it's valuable.