Not great, got the alert on MBA and iPhone. I of course declined it. I have a solid password, and I have 2FA enabled. Anything else I should be doing? Thanks!
This is a password reset request or a request to allow a device for 2FA?
If just a password reset, nothing to worry about, someone might entered your email in mistake.
If it’s a 2FA request, you should be concerned, your password is known in the wild.
3 Likes
or if it’s a text in messages: remove and ignore, someone is possibly smishing you
1 Like
Yeah, I don’t think this was that. But thanks!
Yeah I think it was the latter. Password changed to something else. And fortunately that password was unique and used nowhere else.
Should I setup an Apple ID recovery key? Is there any reason I shouldn’t?
Risk of being permanently locked out of your account is the biggest reason against using a recovery key so is worth considering.
From this knowledge base article:
Using a recovery key is more secure, but it means that you’re responsible for maintaining access to your trusted devices and your recovery key. If you lose both of these items, you could be locked out of your account permanently.
1 Like
If your password was really strong, then you have two things to consider:
- Your password manager might be compromised. I hope not.
- The 2FA request came from one of your devices that you did not use for a while, like an Apple TV or something.
Looks like your security worked as designed. For whatever reason (probably unknowable) a request came in, you denied it, and that’s that. If it were me, I would go ahead and change the password to a different, equally stronger or stronger password.
1 Like
Apple 2fa for me, pops up an alert on all my devices to enter and allow. I don’t get an sms with the code. So I’m not sure why you’re getting an sms.
1 Like
A password reset request, almost by definition, means they didn’t compromise your password. So even if it was legit, that would mean somebody else is trying to reset your password.
That’s for a login though, correct? If so, that only happens after the correct password is entered.
1 Like
Yeah it was definitely sketchy and I’m not entirely sure what happened. I did change the password anyway to another very good one, and it’s again not used anywhere else. Thanks for the help, everyone!
1 Like
It happened to me last night. Got out of bed at 11:30pm to change my !@#$%^& password and sign in again on my devices. I think I now better understand your frustration and worry!
Thinking: Why did you change your password when it was strong and you have 2FA?
It’s easy to click on a “I forgot my password” button and you would get a mail about it. Doesn’t mean you need to change it. It would have been worse if you see the “Allow this device to connect” dialogue on your device. 
That was my first thought, too. No need to change. But Apple recommends it in their opaque messaging and the possibility I might be losing control of my Apple world was daunting. Plus it was 11:30 at night and I’m not at my best at that time of day! 
Correct. It could be someone trying to break in, or it could just be someone who mistyped his own username.
I once received a receipt for lunch from a chain restaurant hundreds of miles away. Some clown had created an account using my Gmail address. So I installed the restaurant’s app and requested a password reset. And, of course, the verification code came to my email account.
I was tempted for a minute to use the app, which was still linked to his credit card, to buy lunch 
, but I didn’t.
1 Like