[probably_wrong]

> Having both the password and the phone basically proves full ownership.

The thieves changed the phone number immediately while they only obtained the password around 5 days after stealing the phone. Had Apple support been more... well, supportive, we would have been able to recover the account long before the thieves got the second factor. There was a big window of time in which Apple could have helped, but they chose to send us in circles instead.

As for "proving full ownership", those factors cannot prove full ownership because the thieves are not the legal owners of the account. There are multiple ways in which we can prove ownership (legal documents, access to the iCloud email, photos of us inside the account, etc) but Apple doesn't want to provide real tech support (as this commenter [1] pointed out).

Also, related: had this happened in Europe, the GDPR would force Apple to provide my brother his data (as I've written before regarding Google and a locked account [2]). So it's not like they can't, but rather that they don't want to, and I think it's perfectly fair to criticize them for that.

[1] https://news.ycombinator.com/item?id=34407647

[2] https://7c0h.com/blog/new/lost_gmail_ii.html

[limitedsupply]

Look, I totally agree with you: this situation is everyone’s worst nightmare. I wish Apple has responded in a more reasonable and timely way.

Saying that, I can see how by limiting their involvement they are reducing the risk surface. To address issues like that (and there is, of course, a huge spectrum of account hijacking situations) they would need to train an army of international support representatives who would have the authority to overwrite iCloud ownership - an incredibly questionable power. They would need to be able to validate various documents (e.g. US military ID or some obscure residence permit in Japan), be able to verify photos (which with recent ML advancements is becoming increasingly difficult), make phone and video calls to verify identify, and so much more. In turn, these representatives would become vulnerable to social engineering attacks themselves. If they overwrite ownership for a very sensitive account - who would ever trust Apple again?

It’s basically one of the major principles of cryptographic products: it’s safer for them (and, to be honest, for everyone) to deny giving access to one account, then jeopardize trust in the entire company.

I hope Apple will be able to help you through some process - maybe it takes longer than it should have. Good luck!

[wjnc]

One note: I was the target of a spamming campaign by someone with too much time and bad intent (possibly automated). Under GDPR I asked for my personal data including IP address for the accounts created in my name. Many parties delivered, but some of the privacy professionals noted that since I claimed I did not create the account, the personal data wasn’t mine. I found that unexpected and clever. Never got around to filing a police report and finding the person using the IP address since luckily the harassment stopped.