My usual Gmail username, which I registered for on the first day of Gmail, has a period in it.

Someone has registered for an Apple ID using that Gmail username without any periods. So Apple, knowing that Gmail ignores periods, won't let me set up an Apple ID using my Gmail address.

However, I can change the password for that existing Apple ID - since the password reset emails go to my Gmail, as they should - but I cannot log in because I do not know that user's security questions.

In a nutshell, I'm trying to figure out how someone was able to set up an Apple ID using my Gmail address, even though I have always owned that Gmail address. And I'm trying to figure out how I can reclaim that Apple ID and/or prevent that individual from using an Apple ID with my Gmail username.

Sounds similar to a phishing scam honestly.

Scammer sets up account and uses bad credit card info, website sends email to real.person Gmail asking them to update billing info, and once updated scammer has access to billing info.

https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/

Fenrir said:

---

Sounds similar to a phishing scam honestly.

Scammer sets up account and uses bad credit card info, website sends email to real.person Gmail asking them to update billing info, and once updated scammer has access to billing info.

https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/

---

Mr. Fisher's scam theory has a hole in it I think. Let's step through this.

1) Scammer finds gmail address at netflix, creates account with dot
2) Scammer uses throwaway card, cancels it whatever
3) Gmail owner gets non payment notification. Clicks update link in email

At that point, the gmail owner has to reset the password to access the account and update the payment method. I'd think the Gmail owner would notice all the non matching information in the account. Further, at that point, the scammer can no longer access the Netflix account due to the password change.

Am I missing something?

Never had the issue pop up in this exact scenario but I know with some other websites, sometimes if I get an email it doesn't require me to input a password before getting into a place where info can be input.

As far as I am aware Gmail has never accounted for dots so not sure how the account was originally setup since it would normally require email verification in Keegan's scenario.

Fenrir said:

---

Sounds similar to a phishing scam honestly.

Scammer sets up account and uses bad credit card info, website sends email to real.person Gmail asking them to update billing info, and once updated scammer has access to billing info.

https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/

---

Ordinarily I would think that, except Apple's registration seems aware of the dot. The existing ID is dotless, and Apple won't let me register my dotted version as a result.

I did go through my Gmail and found, several years ago, that "Darleen Keegan" invited the dotless form of my Gmail username to her "Family Sharing" - because I received the invitation.

(I'm not related to anyone named "Darleen". I don't even know anyone named "Darleen".)

Perhaps "Family Sharing" is a loophole that allows someone to register or otherwise reserve an Apple ID without confirming an email address?

Call Apple. Tell them you forgot the security question or that your account was hacked. They will likely send you a recall email to your Gmail, and when you confirm, profit.

Or go to a genius bar and do the same.

Dealing with customer service people is a pain, but sometimes best solution.

Oh, that's the fun part!

I can send a password reset email to my Gmail address and change the password for the Apple ID just fine. I should be good, right?

[Lee Corso Not So Fast dot GIF]

But then when I log in with the new password, I get hit with the security questions - questions for which I do not know the answer!

Many will swear its user error, but i really don't think Gmail handled periods 100% correctly back when it debuted.

Quote:

---

The universal failure revolving around email in general is websites/companies allowing registration of email addresses without verification.

---

That definitely seems to be the root cause here.

I'm just shocked that Apple had (has?) this issue. Perhaps the "Family Sharing" was a loophole that permitted it.

Keegan99 said:

---

Quote:

---

The universal failure revolving around email in general is websites/companies allowing registration of email addresses without verification.

---

That definitely seems to be the root cause here.

I'm just shocked that Apple had (has?) this issue. Perhaps the "Family Sharing" was a loophole that permitted it.

---

I don't think so. I had to create Apple IDs and verify them for my kids. Unless there was another way around it farther back but they have been set up for 5 or so years now.

One would think Apple would have to rectify it somehow (maybe at an Apple store in person) since you are the owner of the email account.

I had to go round and round with Sony when PS3 came out because someone used my email address to register a PSN account and there was no email verification at that time. Took me 4-5 days of calls and emails before I could use my damned console.

Keegan99 said:

---

Quote:

---

The universal failure revolving around email in general is websites/companies allowing registration of email addresses without verification.

---

That definitely seems to be the root cause here.

I'm just shocked that Apple had (has?) this issue. Perhaps the "Family Sharing" was a loophole that permitted it.

---

Interesting Google thread about this issue from 2013...

https://support.google.com/mail/forum/AAAAK7un8RUR28uU_xCrSo/?hl=en&gpf=%23!topic%2Fgmail%2FR28uU_xCrSo

It appears that at least at some point, Apple just created accounts even if they went unverified.

Keegan99 said:

---

Oh, that's the fun part!

I can send a password reset email to my Gmail address and change the password for the Apple ID just fine. I should be good, right?

[Lee Corso Not So Fast dot GIF]

But then when I log in with the new password, I get hit with the security questions - questions for which I do not know the answer!

---

Right.

But, if you get on the phone with an Apple person, they can reset the security question.

Quote:

---

I don't think so. I had to create Apple IDs and verify them for my kids. Unless there was another way around it farther back but they have been set up for 5 or so years now.

---

What I'm thinking is that the Apple ID is sitting in a limbo state, where it has been claimed but is also unverified and inactive.

That somehow Darleen was able to call immortal dibs on it by entering it into her "Family Sharing" plan.

Keegan99 said:

---

Quote:

---

I don't think so. I had to create Apple IDs and verify them for my kids. Unless there was another way around it farther back but they have been set up for 5 or so years now.

---

What I'm thinking is that the Apple ID is sitting in a limbo state, where it has been claimed but is also unverified and inactive.

That somehow Darleen was able to call immortal dibs on it by entering it into her "Family Sharing" plan.

---

Check out my next post. Looks like Apple may not (or did not before) actually care if you clicked on the Verify button in the email. Lady had screenshots after she got into the squatter's Apple account and it showed verified.

Apple tells me that the Apple ID using my Gmail was unverified. (Obviously.)

Apple also tells me that the Apple ID using my Gmail address has been deleted. (Great!)

Apple also tells me that I have to wait 30 days to use my Gmail address for an Apple ID (Uh... WTF?!)


The latter point is a major problem. A malicious actor could attempt to register email addresses for Apple IDs, knowing the email address will never be confirmed, and that when the victim tries to create an Apple ID and Apple support figures it out, the victim will still have to wait a month to claim their Apple ID. I'm sure there is some legal or business reasoning for the 30 day policy, but it is obvious that whoever created the policy did not contemplate this scenario.

Keegan99 said:

---

Apple tells me that the Apple ID using my Gmail was unverified. (Obviously.)

Apple also tells me that the Apple ID using my Gmail address has been deleted. (Great!)

Apple also tells me that I have to wait 30 days to use my Gmail address for an Apple ID (Uh... WTF?!)


The latter point is a major problem. A malicious actor could attempt to register email addresses for Apple IDs, knowing the email address will never be confirmed, and that when the victim tries to create an Apple ID and Apple support figures it out, the victim will still have to wait a month to claim their Apple ID. I'm sure there is some legal or business reasoning for the 30 day policy, but it is obvious that whoever created the policy did not contemplate this scenario.

---

Can you stick a period in a different spot? In other words, use Gmail's system to fool Apple?

Unfortunately not. Apple is wise to Gmail ignoring dots in usernames.

Hence why someone attempting to register firstnamelastname@gmail.com blocked me from registering firstname.lastname@gmail.com (which started this whole fiasco).

Apple is stubbornly sticking to insisting on the 30 day wait.

Technical issues I can understand. But this is just some mindless corporate policy which carries with it no ability to actually speak with someone that can fix the problem.