We are receiving reports of a new iPhone exploit that bad actors are currently using that take advantage of a bug in Apple’s Reset Password feature. Targeted victims of this attack will often see dozens of Reset Password notifications spamming their notifications screen (see screenshot at end of email). This kind of attack is called “push bombing” or “MFA bombing”. Victims who “Allow" and attempt to type in their password may actually be giving their real password to the bad actors or allow bad actors to access the device. 

In the event your iPhone is attacked in this manner, do not click on Allow or attempt to type your password in. It will fail every time and you will eventually receive a spoofed call from the bad actors that looks like it’s coming from actual Apple Support but it’s actually the bad actors. Apple will NEVER reach out to you first without you reaching out to Apple first and requesting that Apple call you.

The attack appears to target the phone by its phone number as victims who got new iPhones and new Apple IDs were still being attacked in this manner if they kept the old phone number. 

More information about this new attack can be found here:

https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/

https://www.beyondtrust.com/resources/glossary/mfa-fatigue-attack

This is a new exploit in the wild so Apple is undoubtedly working the problem. Definitely let us know if anyone sees this attack on their iPhone.