[limitedsupply]

I am sorry this happened to your brother.

I think the information you added makes the majority of the discussion in this thread irrelevant. If the thieves phished the password in a separate attack and then used that to perform iCloud account hijacking - then that's a fairly expected outcome that is not unusual in the industry. Having both the password and the phone basically proves full ownership.

I empathize with your frustration, but realistically speaking, the outcome very likely would have been the same if he used any other phone from a major tech company.

[fsckboy]

I use a 4 digit unlock code, and every now and then I get curious and look to see if I have smudges over those numbers. I've never seen telltale smudges on mine. Of course MMV

[probably_wrong]

> Having both the password and the phone basically proves full ownership.

The thieves changed the phone number immediately while they only obtained the password around 5 days after stealing the phone. Had Apple support been more... well, supportive, we would have been able to recover the account long before the thieves got the second factor. There was a big window of time in which Apple could have helped, but they chose to send us in circles instead.

As for "proving full ownership", those factors cannot prove full ownership because the thieves are not the legal owners of the account. There are multiple ways in which we can prove ownership (legal documents, access to the iCloud email, photos of us inside the account, etc) but Apple doesn't want to provide real tech support (as this commenter [1] pointed out).

Also, related: had this happened in Europe, the GDPR would force Apple to provide my brother his data (as I've written before regarding Google and a locked account [2]). So it's not like they can't, but rather that they don't want to, and I think it's perfectly fair to criticize them for that.

[1] https://news.ycombinator.com/item?id=34407647

[2] https://7c0h.com/blog/new/lost_gmail_ii.html

[limitedsupply]

Look, I totally agree with you: this situation is everyone’s worst nightmare. I wish Apple has responded in a more reasonable and timely way.

Saying that, I can see how by limiting their involvement they are reducing the risk surface. To address issues like that (and there is, of course, a huge spectrum of account hijacking situations) they would need to train an army of international support representatives who would have the authority to overwrite iCloud ownership - an incredibly questionable power. They would need to be able to validate various documents (e.g. US military ID or some obscure residence permit in Japan), be able to verify photos (which with recent ML advancements is becoming increasingly difficult), make phone and video calls to verify identify, and so much more. In turn, these representatives would become vulnerable to social engineering attacks themselves. If they overwrite ownership for a very sensitive account - who would ever trust Apple again?

It’s basically one of the major principles of cryptographic products: it’s safer for them (and, to be honest, for everyone) to deny giving access to one account, then jeopardize trust in the entire company.

I hope Apple will be able to help you through some process - maybe it takes longer than it should have. Good luck!

[wjnc]

One note: I was the target of a spamming campaign by someone with too much time and bad intent (possibly automated). Under GDPR I asked for my personal data including IP address for the accounts created in my name. Many parties delivered, but some of the privacy professionals noted that since I claimed I did not create the account, the personal data wasn’t mine. I found that unexpected and clever. Never got around to filing a police report and finding the person using the IP address since luckily the harassment stopped.