If your Apple device has received a password reset notification, do not touch it! Hackers carry out a phishing attack (capture of personal data) using a bug in the Apple ID password reset feature.

According to KrebsOnSecurity's report, phishing attacks thought to be caused by a bug in Apple's password reset feature are becoming increasingly common. Some Apple users have started receiving notifications or multi-factor authentication messages asking them to confirm an Apple ID password change.

Don't touch password reset request notifications!

Hackers are repeatedly sending password reset requests to targeted iPhone users to get them to click on the notification and confirm. When the user confirms by tapping Allow, the attacker has captured the Apple ID password. Since the password requests target the Apple ID, they appear on all of the user's devices and do not disappear until they confirm, rendering the device unusable. Attackers who cannot reach their target through notifications start trying to access the single-use password via a phone call.

It's unclear how attackers exploited Apple's password reset system to bombard Apple users with notifications and messages, but there is clearly a bug. The only thing an Apple device user targeted by this type of attack can do is pass all requests with the option to allow, and know that Apple does not make phone calls asking for a one-time password reset code.