The emails look legit, came from noreply@email.apple.com, don’t even have a link in them to reset password, just a plaintext url to access appleid settings if I need to reset password.
Dear <>,
Your Apple ID (<>) was used to sign in to iCloud via a web browser.
Date and Time: October 21, 2023, 10:30 PM PDT
If the information above looks familiar, you can ignore this message.
If you have not signed in to iCloud recently and believe someone may have accessed your account, go to Apple ID (https://appleid.apple.com) and change your password as soon as possible.
Apple Support
I have 2fa enabled, and haven’t got a login request any time I’ve got one of these emails.
The password isn’t used for anything else, and is complicated enough that I highly doubt it was bruteforced.
The only other thing of note, is that around the time I started getting these emails, my windows machine prompted me a couple of times in a couple of days to re-sign-in to the iCloud desktop app. But the signin requests have stopped on windows, and the emails have continued. Oh, and this desktop currently shows up 4 times in the appleid devices list for some reason.
Anyone have any idea whats going on?
As a last resort I may contact apple support, but 1. I’ve been apple support before, and 2. the couple of times I’ve been stumped by apple device behavior, even their highest available support specialist couldn’t resolve the issue (Though, I did eventually figure it out on my own)
Does the link actually go where it says it goes? May be a phishing attempt?
The link isn’t even clickable in the email, so I don’t see how it could be a phishing attempt.
Edit: This wasn’t meant to be a condescending tone or anything, not sure why the downvotes. Am I missing something?
Even if it is not clickable some folks copy/paste, and you can long press a url in iOS. The “L” in apple could be masked with an “i” but Apple should have bought that domain already. There was just a big phishing attack the other day where someone used an lookalike character that some browsers didn’t filter out.
Ah, ok. Makes sense. Let me take a look…
um, no, pasted it into sublime-text and did a find for a hand-typed url, and its all normal characters. Did an online string compare too, no difference.
At this point, I’m quite sure its a bug in either their server software, or the windows icloud application.