An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
This is a good first step.
In an earlier attempt on Tuesday to change an AppleID password (which is the same password used to log into iCloud and iTunes), Apple customer service offered up a different response, saying that passwords could only be changed over the phone if we were able to supply a serial number for a device linked to the AppleID in question — for example, an iPhone, iPad or MacBook computer.
This seems like a bad idea, as anyone who had not specifically deactivated a device before selling or donating it would be vulnerable.
Yesterday, Apple issued a statement noting that “we found that our own internal policies were not followed completely.” However, Wired’s internal source at Apple said that if the support representative who took the hacker’s call issued a temporary password based on an Apple ID, billing address, and the last four digits of a credit card, he or she would have “absolutely” been in compliance with Apple policy.