Distinct Apple IDs for the same GMail account
Written on 28 January 2017, 02:45pm
It’s probably well known by now the fact that when you create a GMail account, any periods (dot characters) in your username will be ignored by GMail:
If you have a personal account (typically ending in gmail.com), it doesn’t matter if people type the period in your username or not.
For example, emails to all of these addresses will be delivered to the same Gmail account:
What is the impact of this feature on the creation of new Apple IDs?
Well, for Apple the 3 email addresses above are distinct, so they will allow to create 3 separate Apple IDs with the 3 email addresses. During the Apple ID registration process, an email with the subject
Verify your Apple ID email address will be sent to confirm the ownership of the email address. Naturally, in all the 3 cases above, the 3 emails will be delivered to the same GMail account.
This is already a bit awkward, but I guess it’s something that does not create any problems, so Apple had no reason to work around it.
The real problem is described below.
My wife has the Apple ID
firstname.lastname@example.org. I’ll obviously not publish the real one, but it has a dot between the first name and the last name.
On 28/01/2017, between 2:31 and 3:45 CET she receives 21 email messages from
Apple email@example.com sent to
Janedoe firstname.lastname@example.org in Spanish. These emails are not for her: notice the lack of dot in the
To: field. However, the first name and last name were correct, even if they were in one word:
In the middle of that email strings, at 3:36 CET she receives another email from
Apple email@example.com sent to
Janedoe firstname.lastname@example.org, still in Spanish, with the message that the Apple ID was used to sign up on iCloud on a new device. Again, an email not for her (notice the lack of dot in the email) but with an identical device (model and iOS version). The Apple address in the footer, different from the one in the first email, made things look a bit odd:
In the morning, at 9:25 I changed the password for my wife’s Apple ID
email@example.com. The two factor authentication was already enabled, so I was not worrried.
To my surprise, two more emails similar to the first 21 were received at 10:01 and 10:48.
At 11:52 I got in touch with Apple Support by phone, confirming that
firstname.lastname@example.org are pointing to different Apple IDs. Naturally, for privacy reasons, the support representative could not give me any information about the other Apple ID.
I also reported the problem on Twitter.
I made some tests myself: I created two test Apple IDs by using a GMail address with the dot placed in 2 different positions. Compared to the first email – which had the subject ‘Verify your Apple ID’, this email had the subject ‘Verify your Apple ID email address’ and it was sending a 6-digits confirmation code:
I also used this form, to confirm that both
email@example.com are valid Apple IDs, both associated with the first name and last name of my wife:
I am a bit puzzled by the entire situation. I am confident that there was no phishing attempt (despite the different ‘From:’ fields and the different Apple addresses in the footer) and I am also confident that the Apple ID of my wife is not compromised (just changed the password + have two factor authentication). But I still don’t understand a few things:
1. how was the email address
firstname.lastname@example.org associated with an Apple ID in the first place, without my wife receiving any confirmation email?
2. what is the action that triggered the strings of emails sent to my wife?
I tried a few scenarios (changing the primary email, adding a secondary email and adding a rescue email to my ‘test’ account), but all of them triggered emails with verification codes, nothing similar to the email in the first screenshot.
The most plausible answer so far would be that the
email@example.com Apple ID was created long time ago, when email verification was not necessary (I don’t know if this was ever possible), and that the person that created it has (by coincidence) the same first name and last name as my wife.
I have no conclusion to this. Hopefully Apple will clear things out. I’ll update this post as soon as I’ll have more information.
Update 29/01/2017: AppleSupport was really friendly on Twitter. Waiting for someone to call me.
I had another look at the links in the first email (forensic analysis FTW 🙂 ); I can see the following format:
This redirects to
Here the email address
firstname.lastname@example.org is pre-filled, and is asking for the password:
It’s strange because I could not reproduce this situation in any of my tests. I even tried to change the Apple ID of my wife by using the recommended way (I tried to change her Apple ID from
email@example.com), but I only received an email with the 6-digits code. Nothing similar to the emails in Spanish sent to
Still waiting for an answer…
Written by Dorin Moise (Published articles: 263)