In early September last year, just before Apple launched its new iPhones and iOS operating system, the company was hit by a huge data breach scandal — naked pictures of many celebrities stolen directly from their iCloud photos appeared online — even though iTunes itself was not cracked by hackers, who employed other means to get access to those accounts. Apple still felt like it had to explain its stance on privacy and security in the days and weeks that followed. The company assured users their data is safe from hackers and spy agencies, further urging them to use the improved two-factor authentication features for their Apple IDs.
FROM EARLIER: Apple’s two-factor authentication on iTunes can easily turn into your worst nightmare
However, even though Apple will now warn users when their Apple IDs might be used on an unauthorized device, that’s still not a good enough measure to protect one’s personal data. In fact, no matter how secure two-factor authentication is, the security measure doesn’t protect many parts of your Apple ID account, as Dani Grant has found out.
As long as a person has access to your Apple ID credentials (the email and password with which you log into Apple services), he or she could easily access many services, including iMessage, FaceTime, or Apple.com, without always triggering an alert. And logging into these services is possible without two-factor authentication, even on accounts that have the feature enabled.
Grant logged into iMessage, FaceTime, iTunes, App Store and Apple.com without receiving two-factor authentication prompts for each successful attempt. Only the FaceTime login was flagged by Apple’s system, who issued a security warning via email.
By being able to easily access these services, one could get a detailed look at someone else’s iMessage and FaceTime history, access personal data stored in iTunes and see a complete app purchase history for that person, which could expose additional sensible data.
In other words, a third-party would only have to somehow steal your Apple ID credentials, to get access to highly sensitive data — for more details, check out Grant’s full report at the source link below.