Article Short URL
Quick Comment

App Store, Hacked. (Updated: iTunes Accounts too.)

By Zee Follow Zee on twitter on July 4th, 2010

Editors Note: This article began with details of one specific app developer hacking iTunes users accounts and purchasing their own apps using those accounts – making it to the top of the iTunes charts. As the story has developed it appears to be far more widespread than just that one particular developer and his apps…the Apple App store is filled with App Farms being used to steal. We’ve put together a complete list of all the facts and updates to this story here which we high recommend you read instead of this article. Apple has also now released a statement about the matter.

Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen.

What’s more concerning is that it seems individuals iTunes accounts have been hacked to make mass purchases of that one developer’s apps. (Update: this does not appear to just be one specific developer nor one particular set of apps any more. Details at the foot of this post.)

One look at a screenshot of some twitter search results above or this MacRumors thread should ring alarm bells – there is a problem. What’s more concerning is that these are only the people reporting it on twitter and forums, plenty would not have.

A screenshot of the books category on iTunes below should illustrate the extent of the problem. How has a developer managed to hack enough iTunes accounts to buy the number of apps required for each to dominate the paid books category on iTunes?

Some users who have had their accounts hacked have left comments on the apps they have supposedly bought complaining that up to $200 has been spent on apps they’d never personally bought themselves. (update: we’ve now heard reports of $600+ spent on some users accounts, more details at the foot of this post)

There are other comments clearly from the app developer himself, giving positive reviews in an attempt to draw attention away from the other comments.

Both the support and company links for the company in iTunes take you to a Home.com URL with nothing but a holding page. Also Google Search results for Thuat Nguyen do not provide any concrete details as to who the individual or company is.

Clearly when one developer completely dominates the ranking in a particular category, other app developers suffer but when it happens by means of hacking end users accounts – it’s a serious concern that leaves everyone involved suffering. Developers don’t get the recognition they deserve, users are being robbed and left with a poor user experience, while Apple is left with a tarnished brand and left with a lot of explaining to do. Why does Apple not have mechanisms in place to detect when previously unpopular apps from the same developer flood the top rankings?

When some apps are left waiting weeks for approval only to be rejected by Apple for minor objections, how does a company with no website, no description and apps that are literally swarming iTunes escape punishment? More importantly, how has someone managed to hack users’ accounts and left many, we can only assume, unaware they’ve been robbed?

What you should do now.

For now, we can only recommend you check your recent purchases, remove your debit card being stored on iTunes and change your password immediately. When we have more recommendations you can be sure you’ll hear from us.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Update 1:

We’re interviewing a number of people who have had their accounts hacked and used to buy apps. Worryingly they aren’t just apps from this developer.

Update 2:
Reader Jamie Vickery, a UK based iTunes user discovered a number of apps had been bought using his account. This does not appear to be a US specific issue any more.

“I’ve just noticed my iTunes account has been hacked in the past week. Someone has downloaded 8 apps and two songs totalling £61.70. The most expensive being an app called All Match by CharismaIST for £54.99! The other apps seem to be based on photographer like Camera One, Night Shot, Camera Flash Ultra. Surely Apple won’t pay out to these developers. I have changed my password and put in an email complaint to iTunes so we’ll see how it goes.”

Update 3:

More reports. Users in the MacRumors forum claiming their accounts have been hacked and used to purchase apps. Two examples:

“Yesterday my credit union contacted me saying there was suspicious activity on my debit card. Sure enough over 10 transactions in the $40-$50 area all on iTunes equaling to $558″

“I also received a receipt via email on my “Purchases” on 7/2/10. I made the mistake of storing my debit card on the itunesstore app. I have run into the exact same responses that other users are reporting–only email as a method of contact.

That response was to tell me how to change passwords, etc. – stock answers and to also tell me of no refunds. I was an internet technician for years so the iTunes advise was second nature for me but with little hope for “fixing” the issue since I believe that the breach was on the iTunes server.

Thankfully, I carry a smartphone with my email setup on it, so I received the invoice quickly. Most of the 15 purchases where for items that I don’t even own i.e. iphone (I have a blackberry) and ipod (I’m 47 and I still use a radio for my music). I was able to verify the $70.15 charge via mobile banking and immediately called my bank. The transaction was in the processing stage and I think my bank was able to refuse it–I’ll see after the holiday weekend. With my card canceled, the additional $20+ charge was unable to be authorized.

I noticed reading the comments that someone was starting a class action suit, there are enough victims to be able to makeiTunes responsible for this.

I will not take this laying down–I’ve filed a police report and filed a complaint with the Better Business Bureau and if I can afford it–I want to be included in the class action suit if it was started. I am currently trying to figure out how to get the news media notified of this scam. ”

Update 4:

A succinct list of facts and updates to this story can be found here.

Update 5:

Thuat Nguyen’s book apps have all been removed from the iTunes store but there are many others. More details and further updates can be found here.

Update 6:

Apple has now released a statement about the matter.

For more Apple related breaking news & chat join TNW Apple on Facebook and Twitter, or grab our RSS feed here.

About the Author

Zee

Based in London, Zee is Editor in Chief of The Next Web. Follow him on Twitter and Facebook.

Discussion - 359 Comments/Pingbacks RSS feed for comments on this post

« Older Comments
  1. Rick says July 05, 2010
    Reply

    That guy created a Google App in Cydia I wonder if he had some kind of keylogger. If all these accounts are gmail then that’s how he got them.

    • iTechnetwork says July 23, 2010
      Reply

      Yes that app was really a keylogger my friend investigated the code and its a keylogger

  2. Vincent says July 05, 2010
    Reply

    Lol, so funny all these apple fanboys. Fair, enough, just about everyone gets hacked. It is just one of those things. This just goes to show how secure apple is. Just as secure as MS years ago. Being the biggest makes you a target and you will get hacked, no matter what.

    But if apple is keeping such a close eye on the market and its walled garden, stuff like this should not happen. Please think apple is so secure, think again. They have never been targeted by hackers. If they grow, things will become clear.

    How can it be phising? Who ever logs onto iTunes without going through iTunes app?

  3. LMAO says July 05, 2010
    Reply

    now is when all the ”you rly don’t have an itunes account? ¬¬ ” sounds just so funny.

  4. YaBa says July 06, 2010
    Reply

    You do know that “Thuat Nguyen” stands for “Naughty Tune” ?? ;)
    ;)

  5. Ricardo Santos says July 06, 2010
    Reply

    A way to deal with it would be to send you a confirmation email you must agree to before the purchase is made. But I bet they won’t do it because it will give the chance to impulsive buyers to have a buyers remorse. Plain and simple Apple does not care if you lost. They only care when they lose.

  6. Sally says July 06, 2010
    Reply

    My account got hacked for $965. Whoever hacked it changed the email for recieving the receipts, I received one email and my debit card got declined thanks to my bank and their fraud/suspicious activity reporting. So I am sure they are doing this to a alot of other people and they don’t even know it yet.

  7. Frustrated With Lack of Apple Support says July 06, 2010
    Reply

    My account was hacked as well, and the ‘email only’ support from Itunes has been truly shameful for a company such as Apple. A phone call to the ITunes customer service line found no one willing to help as they apparently outsource their billing. I was told the only way to communicate with that company is through email. Apple has thus far refused to assume any responsibility for the breach in their security, and my bank has forced me to close accounts etc before they will remove the charges.

    It’s been a frustrating and perception changing event for us.

    • Christian says July 08, 2010
      Reply

      Absolutely, it is shameful that Apple hasn’t addressed this by having phone reps who are available to speak to AT THE VERY LEAST. A company with that type of resources and revenue…and we have to wait 24 hours for a reply, not knowing if our accounts are still compromised. SAD Apple, VERY SAD.

      I’m a Service Delivery Manager at an IT company and if our service was this terrible, we’d be out of business.

    • DavidinSF says July 11, 2010
      Reply

      I absolutely agree. Same issues here. It’s all “not our fault”. Although I agree that they may not have CAUSED the accounts to be hacked, they:
      - enabled it by having weak processes
      - they failed to act rapidly when learned about the hacks
      - they did not notify customers that we had been hacked
      - they would have kept their commission had we not disputed the charged with the banks – making them part of the fraud
      - they made us do all the work to rectify

      Where’s that class action?

  8. Rob says July 06, 2010
    Reply

    The one click purchase is a dangerous feature of itunes and should be disabled.

  9. Angelina says July 06, 2010
    Reply

    I found out by accident that i had 9 iTunes purchases when I went to check my account balance online to verify that a deposit I made on Friday had been posted. Each charge totaled $40-$42. I cancelled my debit card associated with that account. I then called to cancel my iTunes account. This was July 3. During the time I was on hold – over 30 minutes, I had my account history on the screen and the last of the purchases posted showing that it was already July 4, 12:33 am wherever that asshole lived. At least iTunes sent me an email yesterday apologizing and telling me what should be done and that when my bank disputes the charges it
    will not be a problem reversing them… We shall see.

  10. Lorne M. says July 06, 2010
    Reply

    Ridiculous. I can’t believe my bank would notice the strange transactions going on judging by movements on ONE account, whereas iTunes will not notice thousands of users spending like crazy all of a sudden. There should be a big red button in Apple headquarters to temporarily stop all sales in such case and redirect all users to an explanation page. I would rather not watch my movie tonight than lose $500, don’t you think? But wait, iTunes is making money off of all the transactions – that’s right…

  12. CeeSharper says July 06, 2010
    Reply

    Lol honkj, Way to show us stupid PC users how intelligent the typical Mac Troll is. L2English

  13. Me says July 06, 2010
    Reply

    Just wait til all the Mac users buy enough Macs to make them %10 of the computers sold then they will all be hacked because of some simple flaw that Apple has know about but never patched. Oh yes the day will come. Make my words. Well that is if they ever get to 10%

    • Wintard says July 07, 2010
      Reply

      Shhhhhhhhhhhhh … don’t take away their ignorant bliss. The evil-doers are already testing the waters.

    • jeff says July 07, 2010
      Reply

      “Oh yes the day will come. Make my words.”

      Make my words? LOL. Sometimes foreigners who can’t speak English are pretty funny, I must admit…

  14. CVH says July 07, 2010
    Reply

    The one click purchase is a dangerous feature of itunes and should be disabled.

  15. keith says July 08, 2010
    Reply

    Mine was compromised too, about $60 worth of Taiwanese Love songs.

  16. Basem says July 10, 2010
    Reply

    This is so obvious .. this type of intrusion is called “Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges” .. Kind regards

  17. DavidinSF says July 11, 2010
    Reply

    Where’s that class action?
    I absolutely agree. Same issues here. It’s all “not our fault”. Although I agree that they may not have CAUSED the accounts to be hacked, they:
    - enabled it by having weak processes
    - they failed to act rapidly when learned about the hacks
    - they did not notify customers that we had been hacked
    - they would have kept their commission had we not disputed the charged with the banks – making them part of the fraud
    - they made us do all the work to rectify

    Where’s that class action?

  18. ObligeMe says July 11, 2010
    Reply

    after billions of safe transactions, a few people get whacked. its only a hint of the possibilities. something else is going to happen, i can feel it, in my bonz…

  19. cdub says July 12, 2010
    Reply

    My account got hacked tooo! they did 5 transaction buy 154 dollar each transcation for some credits on a game app! wtf! and apple is not willing to do anything. What a bunch of twats.

  20. Glenn says July 16, 2010
    Reply

    I think apple should not be able to authorize any charges automatically and bill later. If they stop doing this the banks will then be able to deny the charges if there is not money in the account. Apple is making money by automatically authorizing the charges. I found out that someone tried to hack my account because when i tried to redownload apps to my Itouch they wanted to verify my credit card on file which they have already had for almost a year. That was a red flag. I have always been able to redownload apps with no charge or without asking to verify my info.

  21. Dan says July 22, 2010
    Reply

    My account has been used to purchase over £700 worth of in game purchases for an app called Zombie farm. I have never installed this app or ebven heard of it prior to this happening.

    Apple are completely useless, my bank will only refund me the money once they can confirm with Apple that the purchases are fraudulent, and thye bank want me to get contact information from somebody in Apple to verify it. 6 emails later, and i am sick and tired of replies that are obviosuly temapltes sent to everybody with the problem. All of which state “contact my bank”

    Useless

  22. Texas says July 24, 2010
    Reply

    We should file small claim against Apple for their issue, this is not ours. I have written letters to Steve Jobs with not written response only one of the worker bees who called for Steve, will not help or be customer friendly. One word Lawsuit.

  23. Donna says July 24, 2010
    Reply

    I had my iTunes account hacked last week here in the UK and had 13 transactions totalling £350 taken from my bank account in amounts from £1.58 to over £60. I was digusted that I couldn’t speak to an actual person about this but only contact via email. The payments were not authorised by my bank but it took 2 days for the funds to become available again. I have since closed my account with iTunes.

    • NKL says August 09, 2010
      Reply

      Wow, and here it is a month later and I wake up to $175 removed not via the credit card on file with iTunes, that all of my legitimate purchases have been charged to for years and years, but rather via PayPal charges (five to be exact, in the amount of around $40 each). The fifth charge actually even came through WHILE I was on the phone with PayPal, trying to find out what was going on. Trying to find a number for Apple was fruitless, so went directly to PayPal.

      They were able to determine that the charges actually came through an old billing agreement that was on file with Apple from 2006. I have not used direct debit for my iTunes account for years and years…it always comes to my credit card on file…even the purchase I made last month (my last legitimate one) WAS billed to that credit card! And, that credit card still showed as being on file with my iTunes account, when I logged in this morning. I have since removed it, of course. Once PayPal severed this old agreement, which is so old, I don’t even remember it, the charges stopped, but not before I was out all that money!

      Apple better make this right or I am definitely on board for the whole class action idea. Heck, I will even track down a law firm and start it, if need be, if they aren’t stepping up to the plate on this.

      There is NO WAY I am in any way responsible for this. I am diligent about passwords, since I work in an online sales industry I know how important it is to stay safe, and I use a password random generator that make for some mean passwords to crack. No, I am convinced that somehow someone was able to access my iTunes account because of this breach and do this. I have, of course, since changed the password using my password generator. Oh, and don’t even mention key logging…never happen. I have been Mac all the way since 1985 and I don’t type my passwords in anywhere. They are either copy/pasted from my password manager, or I log into websites via that manager, to keep them safe.

  24. sunny says August 12, 2010
    Reply

    Im the latest victim…my Itunes store account got hacked yesterday and those fuc*&%$ have charged more than $2500 to my bank account/ credit card… Im so disgusted…Now Im running around making calls to my bank and paypal and itunes store to get my hard earned money back…. This is unbelievable. I was under the impression that itunes / apple would have some high levl of security for their customers…but i guess not…

    • janine says August 23, 2010
      Reply

      The exact same thing happened to me last night, i havent used my itunes account in years then i woke up this morning and checked my email and there was 27 reciepts from paypal saying i purchase itunes apps…over $2000 worth!!!! how did this work out for you??

  25. A dUb says August 14, 2010
    Reply

    The computer we use for iTunes is a Mac, not Windows based. It is a laptop that we keep exclusively connected to our home sound system. The only time we ever use it online is when we are on the iTunes store. The other day, someone purchased $700 worth of apps from 1 am to 4 am. My credit card company called me the next morning. It’s interesting how they can identify fraudulent purchases but Apple cannot.

    It took 3 days for someone to contact me after I submitted my claim. They basically accused me of second guessing my purchases. They also accused me of using a PC. They were wrong on both accounts. It’s interesting that Apple treats it’s customers like criminals with things like DRM, but they are unable to protect their customers from actual criminals.

  26. Amanda Torres says August 21, 2010
    Reply

    My iTunes account was just hacked…$400 worth! I found this out almost a week ago, and am getting NOWHERE on getting my money back! The bank says to go to iTunes. iTunes tells me to go to Paypal. Paypal tells me to go to my bank. WTF??? I just want my money!!!

  27. pnolte says August 28, 2010
    Reply

    This is still going on. My account was charged 3600 dollars for World War Desert Edition honor points. Since I dont have an ipad or iphone I never figured I would get hit. I have a gen 3 nano. I have not logged into my account in over a year yet I was hit. Anyone can get hit and iTunes will do nothing about it

  1. iTunes Accounts Hacked, App Store Swamped With Rogue Developers | nexgenlife.com

    [...] most of us were relaxing and getting our BBQ on this weekend, a story was breaking that saw rogue developers hacking iTunes accounts and buying their own apps to both steal your cash and improve their own App Store rankings. In [...]

  2. Apple says 400 impacted in iTunes hack. Goes in Search for iTunes Fraud Specialist.

    [...] from Apple that only 400 accounts were ‘impacted” by the iTunes hacking saga that we first reported on [...]

  3. Reports: iTunes accounts, App Store hacked | Mohinder's Blog

    [...] TNW Apple reported that the phenomenon appeared to extend beyond apps by one developer, and that it seemed to [...]

  4. My iTunes Account Was Hacked for $375 — By My Own Kids

    [...] I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set [...]

  5. My iTunes Account Was Hacked for $375 — By My Own Kids | iPhone, iPad Weblog

    [...] I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set [...]

  6. Actual damage from iTunes App Store hacks: only 400 accounts affected | ThaiDC.com

    [...] top 50 apps in the Books category on iTunes. Nguyen’s apps were disabled quite quickly, but TheNextWeb asserted that he wasn’t the only dastardly dev engaged in this kind of [...]

  7. My iTunes Account Was Hacked for $375 — By My Own Kids | Newsroom News

    [...] I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set [...]

  8. Actual damage from iTunes App Store hacks: only 400 accounts affect « Tech)(Hada

    [...] top 50 apps in the Books category on iTunes. Nguyen’s apps were disabled quite quickly, but TheNextWeb asserted that he wasn’t the only dastardly dev engaged in this kind of [...]

  9. Apple’s app store, filled with “App farms” being used to steal. [Examples] | iphone4tutorials.com

    [...] the story of of iTunes accounts being hacked continues to develop, we’ve come across a number of what we would call “App [...]

  10. The Drill Down 143 - Eclipse of the Dead | The Drill Down

    [...] App Store, Hacked. (Updated: iTunes Accounts too.) [...]

  11. Hackers turn iTunes into iFraud | MAD Productions

    [...] detailed by The Next Web, a flurry of reports from iTunes customers reveals that scammers have apparently been [...]

  12. Apple bannit le développeur pirate et muscle son iTunes • Calitel.eu

    [...] Les victimes auraient été ponctionnées de quelques à plusieurs centaines d’euros, selon NextWeb. Après plusieurs jours, la marque à la pomme a fini par reconnaître le piratage. Apple promet [...]

  13. My iTunes Account Was Hacked for 375 Dollars – By My Own Kids « WTI NewsBlog

    [...] I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set [...]

  14. YouTube Hacked!!! - Apex Community Forums

    [...] to be deleting or blocking comments on many video pages. The attack comes on the same day as an apparent iTunes App Store hack came to light. We’ll update with more information as we get it. UPDATE: Discussions on the [...]

  15. iTunes fue hackeada para cambiar rankings de aplicaciones | Todo bit

    [...] cómo Nguyen consiguió las cuentas. Mac Rumours dice que fue un ataque de phishing, mientras que TNW Apple dice que fue una estafa coordinada por varios desarrolladores corruptos de distintas partes del [...]

  16. IDreamInTech » Blog Archive » 5 for Fridays: Not just another Lebron James Story.

    [...] Just how secure is Apple?  Well The App Store was hacked [...]

  17. EndlessLab - iTunes e le transazioni pirata! Il giorno dell’insicurezza di rete

    [...] per oltre 10 transazioni da lui non effettuate ma con  il passare delle ore sono apparse diverse simili testimonianze. Dietro l’attacco sembra non esservi solo lo sviluppatore vietnamita, ma anche un cracker [...]

  18. iTunes Accounts Hacked [WARNING]

    [...] reporting revealed more problems: Twitter complaints and a MacRumors forum thread spotted by The Next Web show that a number of iTunes users have had their accounts compromised and used to buy hundreds of [...]

  19. Apple App Store and iTunes Accounts Hacked, Say Reports | The Music Fizz

    [...] in the Apple App Store to artificially inflate the ratings and sales for his book apps. Both The Next Web and Engadget websites reported Sunday that Nguyen apps accounted for 42 of the top 50 books by [...]

  20. El Posteador » Hackean cientos de cuentas de iTunes

    [...] recoge el portal ‘The Next Web’, la empresa fundada por Steve Jobs ha eliminado todos las aplicaciones desarrolladas por Ngyuen de [...]

  21. iTunes App Store Hacked! | Gadgets World

    [...] &#70or &#116h&#101 s&#116ory, c&#108ick h&#101r&#101. [...]

  22. تقارير : حسابات اي تيونز ، واخترق المتجر | Socarno's Blog

    [...] TNW أبل وذكرت أن هذه الظاهرة على ما يبدو تتجاوز تطبيقات المطور [...]

  23. Do you reuse your passwords? | Data Protection and Recovery Center

    [...] week ago, TNW Apple published a story about Apple’s App Store. It seems that some unscrupulous developers [...]

  24. iPhone Gala » Holes in the Walled Garden: Has the App Store Been Hacked?

    [...] is a developing story, and not all of the facts are out yet, but if what is being reported on The Next Web and by developer Alexandru Brie turn out to be true, it may be prudent to stop reading this now and [...]

  25. I Think Apple Just Saved Me Some Money

    [...] perhaps I failed to have a strong enough password. It seems that’s not the case, though, as a growing number of users are reporting unauthorized purchases on their accounts: A number of iTunes accounts have been [...]

  26. iTunes hacking scam drives traffic to e-books, raises security questions | RSS Lens

    [...] this weekend, reports emerged that a third-party developer had hacked into people’s App Store and iTunes accounts in order to boost sales of their e-books (a somewhat [...]

  27. Is App Store Hacking Endemic? | iPhoneBizBlog

    [...] TheNextWeb have unearthed what seems to be a major problem on the app store: users getting their accounts hacked and  hundreds of dollars being spent on crap apps. [...]

  28. A Closed App Store Isn’t More Secure « IT Professionals

    [...] regardless of platform. But for Apple to point out that the closed off model is the way to go because it’s safer, is starting look a bit fuzzy. Apple makes fine products, but please be honest with your users. You [...]

  29. Apple is double charging for apps? Yep. (Updated) | By The D

    [...] someone told me that this could be related to iTunes being hacked, but after looking more closely, I don’t think that is the case.  My issues are happening at [...]

  30. 5 Lessons New Media Could Learn From 4chan

    [...] Editor In Chief, @Zee, did this perfectly with his story about the App Store compromise. Heck, it’s a month later and we’re still proud of him [...]

  31. A ”dogfight” between giants have started. Will Apple.inc have someone taking big bites of their apple? « Geir Stene's Weblog

    [...] cell phone. Speaking of branding problems, Apple recently lost a lawsuit concerning their policy to stop ‘apps’, they’ve met resistance about their censorship policy, and there’s a wide range of [...]

  32. Apple issues statement on iTunes eBook fraud, vaguely cops to hacking (kinda) | TechsZone

    [...] are also reports of other “App Farms” in the App Store, just waiting to nab unsuspecting users’ [...]

  33. SMMAS 13 ‹ Sudo Make Me A Sandwich

    [...] App Store Hacked [...]

  34. Apple iTunes Accounts Hacked, But Is This New? (PC Magazine) : Online Surveys Tips and Information

    [...] Next Web (Apple) is reporting, in a series of posts, that scammers are grabbing users’ accounts on the Apple iTunes and App Stores and using them to buy items. At this point it seems likely this is all just to increase the popularity and visibility of those [...]

1 ... 3 4 5

Post a Comment

Connect with Twitter
More in TNW Apple (5 of 5 articles)