On Sunday we reported details of how one specific app developer had managed to hack iTunes users accounts and use them to purchase his own apps – making it to the top of the iTunes charts.
As the story has developed, the problem has grown far more serious than initially thought – not just that one particular developer and his apps - the Apple App store is filled with App Farms being used to steal.
This post will give a complete run down of what we know and will be continue to be updated as we learn further details.
The Facts
- A number of iTunes accounts have been hacked from across the globe, not just the US, and used to purchase apps.
- The app developer that began this entire investigation has now had their account (and apps) removed, but we’ve discovered a number of other developer accounts with very similar, if not more “innovative”, approaches to stealing users money. The Apple App store is filled with App Farms being used to steal.
- iTunes users have reported anywhere between $100-$1400 spent using their accounts.
- The trend: buy a couple of low cost apps ($1-$3) and then one app at an extortionate price ($90+).
- We’ve also seen a reports of a free app being bought and using in app purchases to effectively send money to the app developers accounts. Details here, the app is called World War.
- Apple’s only response so far has been to ask users to change their password. We have also contacted Apple and are awaiting a response.
- Many of the apps have been purchased to specifically climb up the iTunes ranking to gain momentum in the hope that others will purchase the apps based on their high sales.
- Currently all the app purchased have been owned by Asia based developers with little information known about them. Clearly they feel being based in Asia will give them immunity to any US laws.
- This seems to have been happening over the course of the last 4 weeks, although MacRumors shows hacking on some level dating back to 2009.
- The App developers are using images from the web as their app icons
- The developers website and support links direct users to non-existent websites or landing pages.
- The initial rogue developer’s have now been removed from the app store but other unethical developers still have their accounts available in the app store – details on those to come.
- Apple has released a statement about the matter here.
- Apple now says 400 accounts were impacted, we don’t believe it.
- Apple posts job listing for a Fraud Prevention Specialist.
more to follow.
What you should do
- Check your itunes previous purchases. If you spot anything you haven’t personally purchased contact Apple and your bank to try prevent any iTunes purchases from clearing.
- Get in contact with Apple.
Email link.
or the website “Get Human” lists this for Apple: 800-275-2273
To talk to a real person: press 0 at eac prompt, ignoring messages. - Change your itunes password
- Remove your iTunes card details and consider using gift cards where possible.
more to follow.
http://thenextweb.com/apple/2010/07/04/app-store-hacked/comment-page-1/#comment-11929
“•Chase your itunes password”
It’s running away!
I think it was a bad idea to have “roadrunner” as a password. :-(
“A number of iTunes have been account from across the globe, not just the US, and used to purchase apps.” … what the…?
Still the sensationalists, I see.
What should we have said, just out of curiosity. Genuinely intrigued.
- How many accounts did you initially think had been hacked?
- What are the facts on how many actually have been hacked?
Not to belittle that some people have had their accounts hacked, that’s pretty sh*t for them. It’s always good to have more advice on security get posted.
The whole ‘rolling news’ angle like a third world trade centre is about to fall is just dramatic. “Tell your friends now! Get them to see our HP advertis… uh, advice!”
I don’t know how many accounts have been hacked. All I know is that we’ve received/seen 30+ messages claiming their accounts have been hacked and apps totaling up to $600 have been bought.
A post with a list of the facts and what people should do you’d think you’d be grateful for, guess not.
It’s always good to have more advice on security get posted.
Just posting that again since you skim read. You could put the bit about 30+ accounts in the post since it talks about containing all the facts. We wouldn’t want eveything thinking there were thousands of cases, and a significant web-wide risk, would we.
I’d say 30+ accounts is a LOT for an organisation of our size
Hacked is an awfully strong word. Phished is more likely. The fact that this is only affecting a small, small fraction of iTunes users (several hundred out of several hundred million) pretty much confirms that information was gathered by phishing or some other viral sniffing.
Calling it hacked is a bit sensationalistic as that tends to lead people to believe of data compromises (on Apple’s part). Not saying it’s impossible, but given the current “facts”, always lean toward the users’ end first as it’s by far the easiest end to gather data from.
Hey, thank you for the info. It’s good to know that such dev’s exist and that a little extra checking pre-purchase is wise.
I appreciate your article & the info!
Hi Zee, How’s about 1488 dollars and some cents? That happened to me July 5th. I don’t even buy games/etc from itunes ever. Didn’t find out my bank account was empty till I tried to buy something since the sales hadn’t posted yet. The password was only an itunes password and no one on this account but me. Hmmm.
I am a victim – lost £ 165/- (UK based).
“Some people” couldn’t collectively drive apps being sold on the iTunes Store to the tops of the charts. For that you’d need something closer to “shit-tons of people.”
Are you certain? Some say that certain parts of the app store don’t take all that many sales to climb.
Zee, when were these 30+ accounts reported to you? Today? This week?
I don’t understand your trollish attitude towards this. Sure, the article may have been a tad ‘sensationalist’ but does that really bother you that much?
This is a real issue where real money is being stolen. 30 reports is more than enough for this to be something that anybody using the Store should be very aware of.
These thirty reports could have been over the past five years for all we know. A lot of people are reporting their accounts having been hacked, but either not citing the date it happened or saying a whole variety of times.
People are already aware that passwords can be hacked, and they need to be secure, since the dawn of the internet. Nothing wrong with repeating the information, I’m just calling out the next web for hyping up a situation like they’ve done in the past, such as the facebook/syphillis debacle (pretty sure another post I mentioned this got deleted)
@Joauim You hit it on the money! :P …the first letter in his name is “T”, which is what “TROLL” begins with. I think he is one of those secret members of the “Apple Thought Police” (you know like iHitler youth trolls) out to catch anything that might misconstrue disbelief in Steve Jobs as the one and only almighty Super Infomercial Troll King of the World!
If I was stupid enough to believe, Tom’s interrogation of Zee was anything less than Loyalist Troll Bating that is. Then reading these comments wouldn’t be half as entertaining. Though if I was lame enough to buy an iPhone from Apple or Apps, Music, etc from iTunes, then I’d be glad to be informed of this developer ruse going on (that by changing my password could help). Needless to say, I didn’t take this as Apple’s problem, till he went off about it. There are snakes in the grass of every lawn and we don’t know it…. until we mow it!
@Zee? Thanks for mowing the lawn and I’ll warn my friends that weren’t smart enough to not use Apple’s crappy store in the first place!!! ^_*
Were the accounts actually hacked or were they bruteforced because they had easy to guess passwords?
your guess is as good as mine but my reckoning is far too many to just be easy passwords.
My account was apparently hacked a couple of weeks ago: I use a nine character password, letters, numbers and assorted cases. I use a Mac, exclusively and the frauds concerned various iPhone apps, exactly as reported elsewhere. As I don’t have an iPhone and only use iTunes to purchase fairly rarely, have never responded to or even received ‘phishing’ attempts regarding my iTunes account, I really do suspect a hack.
Thank you for telling me details of your password security steps. Passwords should all be required to be secure like this by the software that lets you set your password in the first place.
It reduces the search space when I’m trying to brute force them by letting me know which combinations to exclude.
Hi Zee,
what do you call an easy password? Mine was only on one account, my itunes. What do you think?
Easy passwords: dictionary words, phrases related to your personal life, sequential passwords (12456, abcdefg), not enough varience in character types (all letters, all numbers, all upper OR all lower case, no special symbols [_,!(@$].
Also passwords that are too short (less than 6 – 7 characters).
A password made up of mixed case and numbers (not even special characters) with 6 characters, has roughly 56,800,235,584 combinations.
A password made of lower case characters which is 6 characters has 308,915,776 combinations. Significantly higher chance of a brute force taking place.
erm … “taking place” should actually be “succeeding”.
The purchased were made on 2nd and 3rd of July in my case and I can say that the password was not that easy to guess but then I aint no expert so dunno how easy or difficult it would be for an expert but I think there was a loophole in the iTunes system which allowed this to happen – I have purchased only one iPhone app in the past three months since my purchase of the iPhone.
then apple should do something to prevent brute force hacking.
look at google
It happened to me! A number of apps were purchased from my iTunes account along the lines of what’s been reported. It came to about £30. Some people are saying ‘probably the result of being phished’ – get out of it! I was not contacted in any way – my iTunes account was only used on my PC, with Virus protection. I changed my account password regularly – I’m paranoid about such things. I cancelled my credit card associated with the account and then contacted Apple. They were very apologetic and refunded me for all amounts immediately. I believe the accounts have been hacked.
Mine has been hacked in April.
I use a strong password (numbers, 3 sets of characters, not a word nor a name).
The pirates were obviously chinese since they changed muy account settings to this language.
I lost 200 euros in the process before I cancelled my card.
I don’t use Itunes on my PC (only once 2 years ago when setting my initial account), I never typed my Itunes password on it since, so a keylogger on the PC is no explanation.
The only time I use my password is on my Iphone hen I download somthing from appstore.
I suspect a kind of keylogger on the iphone or some other trick directly on the appstore website, but I get absolutly NO indication from Apple on how they did this and how to protect myself from it. From now on I have no credit card number on my itunes account and won’t have any soon…
30 out of millions; not a lot. Google for “stole my account” or “hacked my account” and you’ll see it happens to facebook, twitter; every popular service with a large enough userbase. The danger here is the one click shopping behind those iTunes accounts.
yes, *much* more serious than Facebook or twitter…and 30 who reported it to us. That’s a lot, believe me.
We’ll see how this pans out then. 30 out of 100 million iTunes accounts isn’t statistically significant, but it’s certainly notable – worth reporting, yes. Worth presuming there’s a new, significant conspiracy?
This is nothing new, accounts have always been hacked at this rate on every service and on iTunes. Hyping up that the issue is ‘widespread’, and what people should do (connotations of WWII and air raid shelters come to mind) isn’t appropriate as much as surreal.
30 that reported it does not mean 30 total.
I never knew this website existed before, if my account had been compromised, I wouldn’t have come here to report it. It’s doubtful I would even contact any website, I would deal directly with Apple.
So if we say only 10% reported it, which is insanely high given the number of people that (a) haven’t noticed (b) noticed but blamed someone who has access to the account – such as a child (c) noticed but didn’t want to report it elsewhere … you’d have 300 accounts compromised, out of millions yes.. but at anywhere from $100 – $600 per account, there could be $30,000 – $180,000.
Then factor in the number of people that had their account compromised, knew about The Next Web, and bothered to report it to them. Personally, if I would report it, it would have been to TUAW or Consumerist.
Fair call on the figures. But is it a new problem or the same old problems?
I think you trying to downplay what possibly could be a big issue is kind of surprising.
Even if it’s only a possibility that it could be widespread (Well there is just the people on here + macrumors + it’s not just the US + it’s big enough to affect multiple rankings on itunes) you would err on the side of overblowing it to make sure people take it seriously and do take the recommended precautions.
i am not sure why you are calling it a “big issue” now? i just saw a Mac Rumors blog with about 150 posts, dating back to 2008 with people saying “my itunes account just got hacked”…
it is pretty obvious that these people have weak passwords that were brute forced, one guy actually said, “don’t have your password the same as your username”
well duhhh….. hello world…
in otherwords, this goes on all the time, it looks like someone has been gathering a few for the weekend so they could make as big a dent as possible before the holiday was up… nothing more than what always has been going on…
people have their password hacked, because they fall for a phishing scam, or you know the rest, especially for PC users of iTunes…
i remember Apple removing apps a long time ago for the exact same reason…
you can tell these people have weak passwords, because they say things like “must be Itunes” hacked, but they’ve been saying it for 3 years… you think iTunes would have notice by now? and these people never mention anything about their password… the first thing i would do if posting my itunes account got hacked is how my password was configured, and any phishing activity that i might of fallen for… or emails that i had something downloaded in…
Apple can not do anything about people who get their passwords stolen… PERIOD….
seriously think about it… and of the 100′s of millions of users… there are going to be like 30 of them every week that get their password stolen… mainly because they are too stupid to have a good password, or they are on a PC and download an email attachment, or keylogger, or about a 100 things PC users fall for….
the only difference with this week is it is a holiday, and someone was saving their hacked iTunes accounts for this weekend to get the biggest bang for the buck…
(people being out of town and such)
Tom, you need to get your head out of Apple’s nether regions and face the facts. Hacked book apps have reportedly outsold the Twilight books. Now if you think Twilight is bought by less than 30 of of 100 million users, you’re insane (whether they are also insane to spend money on Twilight, I won’t comment). This is a serious issue, and FUDding the messager doesn’t help. The article is fair, and the advice sensible. What’s your beef (assuming you’re not on Job’s payroll)?
Just to be helpful: it seems a crash in apple.com, followed or due to some manual operation. My two fake charges are 1) exactly the same quantity that was charged in my last buy in iTunes months ago, and 2) exactly a duplicate of the new quantity that I was really to be charged this month, after renewal of everything (password, credica cart etc) so that the information was uncorrelated with (1)
So, 30 accounts hacked gives Apple and/or hackers the right to keep hacking? Whether it is 30 or 3000; if there is a security flaw, that needs to be fixed. The story is “still” developing. Tonight it may be 30 but by the time you wake up tomorrow, it could be thousands.
Thanks to TNW to keep is informed about this hack. I hate people taking things into consideration only if it happens to them or their close relatives!
———————–
Whether it is 30 or 3000; if there is a security flaw, that needs to be fixed. The story is “still” developing.
————————
ya, still developing for like 3 years…. what exactly is Apple supposed to do with the 30 people a weak that get their password stolen? well actually they do have a procedure since it is so common.. but really? what are they supposed to do with the 60% of people on PCs that constantly get malware on their computers? tell them to buy a Mac?
Zee, you need an “edit” post button :0) ouch on that spelling…
Well, Buy a Mac, Use *NIX, or be less stupid on Windows. It isn’t hard to create a SECURE password that would take years to bruteforce and be easy to remember; people are just to lazy to bother with it.
It doesn’t matter what kind of security measures you have in place on any type of system running any OS. If you don’t take the time to make a good password (use letters upper and lower, numbers, and special characters that don’t spell a word) your account can be comprimised.
The biggest cause for stuff like this, facebook, twitter, etc. Is people typing in their account information on fake log in forms.
I believe that is a very ignorant comment Dustin. How did this turn in to implying Windows is an issue? We don’t even know what the cause of the problem is yet but from what I am reading it does sound like it is leaning towards hacking. Either way, without knowing you suggest that one should go out and buy a Mac – an Apple product, to sidestep security problems when there is a good chance that there are some what seem to be major security flaws with Apple products???
Lets keep things in perspective here.
Dustin, This one password was only on my itunes account. I buy things from other companies on my computer. Why was my bank account cleaned out to $0 from only the itunes account only if it was from my computer? I guess people are too lazy to bother trying to buy from anything but itunes. Read the news, man. It could be you next. So -$1500 later, I don’t trust itunes.
People ain’t reading. There are reports, including here in Belgium, of people on MACs or Iphones with hacked accounts. I have 2 friends that have this problem, and neither of them has been on a PC for a long, long time. Frankly, they’re what I call Apple-nutcakes as they shit on everything Bill Gates does or does not. Whether that is rightfully so or not, I’m not going to comment on.
May I also remind you that last year Symantec detected a botnet on… indeed, Apple computers. Apple ain’t more safe than Windows, you just have less stuff going around for it as it is not that interesting due to the low userbase. With Iphone, Ipad, Ipod, Itunes, AppStore etc… this is rapidly changing.
There are numerous other reasons why to go to Apple, but safety is not one of them. Not any more.
@honkj haha…. that’d cure everything. Especially since Apple was the first to fall in seconds at this last PWN2OWN! :O
Buy a Mac to avoid a Big Mac attack on your PC. Sounds like calling the dogs in on something that would eventually have Apple and Microsoft changing places. But don’t mind me….. I’m just a innocent Linux bystander on an OS that’s even less distributed than Apple’s. So I’ll just sneak on out with our less than 1% vulnerability rate! ^_^ Later!!!
Question: Is it possible that, due precisely to this kind of problems, Apple had decided, early last week (or anytime in the past two months) to protocol that the charges happenning after any password change were to be done by an human operator? The wrong charges in my VISA can be more easily explained in this way.
I’m wondering, could it be that the hack is associated with credit/debit card information stored in the
‘iTunes store app’ and not in iTunes in general? This comment from one of the victims caught my attention: “… I made the mistake of storing my debit card on the itunes store app.”
When you change your password, you can also set your payment option to NONE. Seems a good idea until this gets sorted out.
I am one of these people. I have $165.66 in fraudulent charges. All apps. supposedly purchased from one seller. I immediately deleted my credit card from the iTunes account and hit the report button under each fraudulent transaction. It now says the account of the seller has been closed by the iTunes supervisor. My credit card company has not reversed the charges yet.
One thing particularly interesting. 30.93 of fraudulent charges was placed on one legitimate purchase receipt to bring it up to the 44.00 range. 44.91 was the range of the rest of the fraudulent charges.
I also want to add that I had not logged into my iTunes account since 2008. I logged in on 6/24 to update my credit card information and purchase a few songs. I was hit with these charges on 6/24 and 6/26.
Happened to my cousin just a few days ago to the tune of around $1000. Yowch.
I appreciate the article. A heads-up warning is more important than waiting for the full disaster to occur. Obviously there is a breach in the security of the iTunes store.
there it is again “obviously a breach in security of the iTunes store” yet someone said this last week, and the week before ,and the week before, and last year, and the year before, and the year before…..
HELLO????? not a word about if they are on a PC or what their password was like, or the keylogger they downloaded… :0)
Zee, if you do have people contacting you, this information is critical..
1. are they on a PC?
2. the length of their password
3. did they have numbers and letters in their password?
4. have they checked their computer for malware?
people constantly blame someone else: like “iTunes must be hacked” instead of: “i wonder if my password was stolen?” and then… how was it stolen? should be their first thoughts, yet no one ever discusses their password security on those posts, going back almost 3 years…….
if you saw how many times people say: “iTunes must be hacked” over the years, you’d be a little suspicious of people saying it today…
PC!! PC!!, you are such a donkey. Is it really so out of the realm of possibility that your precious Apple could have some sort of security failure?
Yes, it is. There are more PCs than Macs, PCs make a better target for malware/spyware than Macs do. The worst you could have on a Mac or any *NIX system for that matter is a rootkit. And that is about 1 in 1000.
1. Yes, I use a PC
2. The length of my password was 12 characters and not associated with my username
3. Yes, it contained both numbers and letters in the password (uppercase and lowercase)
4. Yes, I run Symantec Endpoint Protection – no malware
Here is the timeline:
Logged into the account on 6/24 at 10:06 AM and purchased $9.72 of legitimate downloads of songs. Received an email later with $30.92 attached to this $9.72 of legitimate charges with 7 apps by one seller that I did not purchase. This brought the total to $40.65.
Next fraudulent purchase was 6/26 at 11:54 PM for 9 apps and $44.91.
Next fraudulent purchase was 6/26 at 11:54 PM for 9 apps for $44.91.
Next fraudulent purchase was 6/26 at 11:56 PM for 9 apps for $44.91.
I was out of town when these purchases occurred/emails came. They went to my junk mail. I retrieved them on Monday (6/28) and hit the report a problem button under each transaction. I also removed my credit card from the iTunes account. Nothing happened for a few days. It now says under each transaction “seller closed by iTunes supervisor”.
Words enough : happens on PC, on Mac, on Iphone. Happens with weak passwords and strong passwords. Happens to PC-fools and Apple-nutcakes. Happens all over the world. Doesn’t happen on this scale and in this way on Amazon or E-bay. Exit phishing-theory.
Yes, Apple is written by humans. Yes, humans make mistakes. Yes, Appstore has a security problem.
Wow, quick to try to bring a PC into the mix, are you a stock holder trying to divert attention away from something that could affect the price? It is being reported in some cases that the Apps themselves are making some of the purchases. In the same regards, who said anything about keyloggers? Just 2 days ago it was passwords bought online. Why all the FUD? This is a reality check to Apple users. This is what happens when you gain market share. These kinds of problems will only get worse. The only fix for this is Apple sliding back into oblivian. Apple is also not prepared for these kinds of things. Security has always been lax, and they are apparently hiring a fruad prevention specialist because they are not prepared for anything like this. Good luck. I wish you all the best if your phone gains more market share, because all that is happening is the target is becoming bigger and bigger. Welcome to the real world. You tried so hard to get peoples attention and now you have it. Good luck, and I hope Apple learns to handle this stuff much better then they have historically, or you guys are in for one hell of a ride.
My account was hacked for $54. I had to close my credit card :(
I consider myself relatively computer savvy and I have a million passes to everywhere imaginable. A weak pass is just simpler to remember than a strong and unique hexadecimal alphanumeric key for each site of which I am a member. I was hacked in the beginning of June ’10. Luckly for me I am an obsessive email checker so I caught it within hours but they still got away with ~$450 in app purchased. Ten separate transactions, mostly chinese language apps and for some strange reason, Sesame Street apps. I contacted Apple immediately (I wanted to talk to a human but unless the problem is hardware related and covered under AppleCare they won’t talk to you). Email seems to be the only recourse ATM. My bank was all over it though and they credited my money back to me the next day.
I had this exact scenario happen to me back in February. Noticed a free app purchased on my itunes acct (I don’t own an iPhone either) then an hour later a slightly higher charge for another, then a few hours later about a $50 charge for several . I change the PW and removed my CC but it was too late. All the apps were Chinese, I couldn’t even read what they were. Apple told me to just charge back my card, they weren’t going to start a criminal investigation for a <$60 charge… plus they wouldn't credit me for $5 worth of credit that I had sitting on the account. Pretty lame…
Yup, I was hacked as well. Saw 7 separate charges in the amount of $150 with the description “Original Gangstaz, 2700 Street Cred, Seller: Addmired, Inc ” This is the link to that developer
http://itunes.apple.com/us/app/original-gangstaz/id340139808?mt=8
Clever buggers did it over the long holiday while banking institutions will remain closed till Tuesday.
Hi Faisal, I’m so sorry you got hit. Same for me, long holiday weekend, 10 charges in the space of an hour. Mine was from Storm8.
I’m guessing that the black hat crackers might have posted hacked itunes logins to warez forums for leechers/warez members to ‘appear’ to make legit purchases from legit vendors as well. My off-hand guess is that the process is similar to how premium site userid/passwords are harvested.
Smart leechers/warez members will probably use TOR or other elaborate proxy hopping means to make sure Apple transaction servers record bogus IP addresses associated with the login of the compromised accounts.
The only comfort is that the financial systems are hoped to honor reversing the charges — which itunes is not equipped to do based on the customer service replies.
This also happened to me back in March, but with a $899 app. Awesome.
This hack doesn’t make any sense. When you buy an app, the developer doesn’t charge your credit card, Apple does. Apple’s not going to pay these developers racking up fraudulent charges.
lift you.re game apple ,you have a lot to lose
Obviously they did , before they noticed it’s fraudulent.
And the profited from it (30% ?)
Happened to me in May. $50 charge was caught by credit card company. Lots of trouble sorting out new card; getting charges reersed breve
Any breach is one too many. Thanks for the post.
Simple people just inform your Bank of unauthorized credit card transactions. Then t’s apple problem! And you’ll get your money back
The solution is easy. Apple should not accept Asia based developers on the App Store, because they cause too much problems. In fact, Asia cause many problems to a lot of companies. Their Law is so awful that they can do whatever they want, and they have inmunity to continue doing that.
If we don’t give them the oportunity to steal or copy, the problem would be solved.
Charles,
Watch it there – bit of an broad brush stroke with that comment “”Their law is so awful…”
According to Icann, Asia includes such countries as Australia, New Zealand, Singapore, Japan and Hong Kong (which operates a different set of laws from China)!!
The solution is easy. Apple should not accept weak passwords on the App Store, because they cause too much problems. In fact, weak passwords cause many problems to a lot of companies. Weak passwords are so awful that they can do whatever they want, and they have inmunity to continue using weak passwords.
If we don’t give them the oportunity to use weak passwords, the problem would be solved.
:-)
Not a weak password problem. I was hit (luckily, AmEx fraud dept. is tapped into the issue and called me twice immediately after it happened).
While not 12 characters like the gentleman above, my 7 character password was 7 characters, was not word-based, contained both letters and numbers, and contained both upper-case and lower-case characters.
Blaming this on weak passwords is irresponsible and you are making assumptions for which you have no basis. I have also not given this password to any other sites, and have not responded to any phishing emails. The possibility that Apple’s security has been compromised is high.
My own opinion is this is probably an Apple insider selling data directly out of the itunes database. Can’t say right now, but at least as of two years ago anyone who had access to the store’s management tools had access to the entire database. They could pull a backup, dump it on a USB hard drive and walk out the door. It would be interesting to see if people with new accounts are also having trouble, or only those who have had accounts for a couple of years.
It’s not a problem of weak password. It’s a probably a keylogger cpde, hidden in the middle of the code of some of the million+ apps on the appstore…
They should look in their app qualifying process…
Woah, Charles, that comment was rather… well. It’s the same as if someone (hypothetically) said that all people in North America (Europe, etc) are selfish fools. Also, good companies shouldn’t suffer because of bad ones.
Please at least try to not offend anyone.
This happened to me too. Got hit for almost $200.
What isn’t clear at all in this story is if the iPhone, iTunes or even the “rogue apps” have anything whatever to do with the security breaches.
There are many phishing schemes out there, and any keylogger could be grabbing iTunes authentication info. That’s all that’s required to enable the purchase of the “rogue apps”, which sends money to the bad guys. The apps themselves may be harmless and functional.
More information is required before jumping to the conclusion that Apple is somehow at fault.
Apple is responsible if the keylogger is on the iphone.
They qualify the apps and they force you to register your credit card number on Itunes just to have the right to use their phone, even if you don’t want to buy anything (at least they used to force you, it’s no more the case…)
Jailbreaking is common. Maybe Cydia has a keylogger. (Not that I seriously believe it does, but it wouldn’t surprise me if some popular app did).
I have tried to remove my credit card info from Itunes and it will force me to reenter it before I can get a free app from the app store
Happened to me on Wednesday, June 30. Got an email from iTunes with a list of approx $50 in app purchases I didn’t make. One app was in Chinese characters. Credit card company stopped the charges immediately. Apple took a little longer….after sending several emails, finally got a response three days later. They are going to refund the fraudulent purchases.
@Tom davenport. Maybe you should not downplay this or read closer and realize that 30 is not the number of accounts hacked but just the number of accounts reported to the owners of this dinky little site. This is not a simple case of hey some kid hacked my account by getting my pass. This is developers fooling system and using it to but their own apps. How can this be compared to hacking a facebook account? Are you seriously that thick?
- 30 is obviously not the only number of accounts hacked, but thanks
- Next web haven’t posted specific evidence of a spike in activity, though I’m not closed to the possibility that there has been
- Posting an air-raid-siren style news story deserves being called out on, especially if on a high traffic site which is going to be re-posted elsewhere (just look at those global trackbacks)
- Hacking of accounts and costing people money IS SERIOUS, but my main point?
The Next Web is, in this case and based on the ‘facts’ that have currently been disclosed, a sensationalistic publication. No, this is not the first article which suggests this.
Let’s get the definition to be clear:
–
sensationalism |senˈsā sh ənlˌizəm|
noun
1 (esp. in journalism) the use of exciting or shocking stories or language at the expense of accuracy, in order to provoke public interest or excitement
–
Regardless of the topic, screw that kind of practise. The internet needs crowdsourced calling out on this kind of exaggeration in the hope that it will one day be reliable.
Tom, I’m not sure who made you the guardian of journalistic integrity, protecting us against the perils of sensationalism, but 1) you have pointed out any innaccuracies used to stoke interest; and 2)stoking interest in this story is the goal since we won’t be able to judge how widespread this criminal activity if affected persons assume it’s just them, try to fix the problem and move on without reporting.
I for one would have not reported this to anyone if I hadn’t come across this website. Thank you, nextweb, for this informative page and for letting me know I wasn’t alone.
Screw contacting Apple. My account was hacked a month or so ago for almost 200 bucks, and they didn’t care. They refused to check it out, just concerned with the money they were getting.
what to do about it: stop using iTunes.
Yeah, I’ll go out and buy a zune.
Great idea….. :P at least then you can buy a Zune Unlimited Pass for same music. You can even buy rent videos at better prices. Plus load sync music from other sources, cheaper without the hassle of of being locked to only iTunes and being robbed blind like your moronic comment says you are! :D
This happened to me and I still haven’t gotten my money back… Lost $270. iTunes hasn’t been helpful in any way, shape, or form. And my bank has revealed themselves to be greedy jerks.
My itunes account has been inactive for well over a year, and suddenly the other day I was charged for 60 quids worth of apps, mainly iphone games…emailed apple, got a next to useless response which took three bloody days. I’ll be chasing this up.
The fraud dept. for the card I used on Itunes a few days ago called and said there was a strange charge on the card. $12 to something called St.Pius of Tennessee.?! Whatever that is!! Anyway, cancelled card and done with Itunes!!
Thanks for the article. Wife’s account got took for $600 in some Kingdom at War application purchases. Whatever that crap is. For those trying to write this off, only use MAC, checked all emails and no phishing/replies/etc. Decent password length, etc. I have been reading a lot of boards and this does not seem to be the standard hits that itunes accounts have been taking ever week but a more widespread incident.
There are some many principle in accounts.
accounts
I can’t be the only person who saw this coming from a mile away
Why did you see this coming from a mile away? What appeared to be the warning signs of bad security policy that would cause this to happen? Or are you just trying to stir shit up?
Brain,
Those of us who are not blind did see this coming from a mile away. Apple has a long track record of taking forever to respond to anything from product defects to acknowledging and addressing security issues. They are so lax they had to hire a fraud specialist because of this because they just don’t attempt to anticipate problems. Even when people report the exact issues to Apple they get spit in the face by Apple and told things like hold differently. Best case in point, just how recently has Apple gotten malware protection (not from a third party)? Did you know there are over 1800 known vulnrabilities in OSX according to the NVD from homeland security. You know how many Windows 7 has? 18. How can there possibly be so many vulnrabilities if Apple is putting forth their A game? It’s because they are not. At best you have to wait what, 3 months for a critical vulnrability patch, and odds are Apple wont tell you or acknowledge it exists at all. I would be terrified of what could be crawling around in my computer if I owned a Mac. At least with Windows we know when new vulnrabilities are discovered and we know they will be patched right away because Microsoft dosn’t try to call someone a liar when they report an issue.
in those situations i’m happy to not have an account on iTunes and to still buy CD, old-style
Still, it is worrying to see that a Giant like Apple can be easily hacked
I had my account hacked. Itunes is refusing to refund the charges! They’re making be do a charge back with my credit card and cancelling my account. Now I have to spend the whole day on the phone. Grrr…
My credit card company was really good about cancellation, etc. They actually caught and stopped paying the charges once they realized this was out of pattern behavior. Apple has to force you to the credit company since they already processed the charge. That being said, Apple I believe does not pay their apps developers until 30 days after purchase, which means they could actually issue refunds since money was never sent. What I am most upset about though is Apple does not have a check for pattern behavior, as all of a sudden I registered a new computer overseas with a new device and downloaded hundreds of dollars in apps when the last 20 purchases were 3.99 or less in music. Also, they have the computer info, the device info, the country, etc. for the person(s) using the hacked information. They should be able to be more proactive in policing their on-line storefront. This is not a new problem with itunes, just on a larger scale and many of the flaws should have been addressed. As for how they got the account information, I agree with Brian, I doubt the database was hacked from outside, but I would not be surprised if apple allows too much access to their overseas apps development.
Is there any clue as to how they’re doing it yet?
I would be very surprised if it was iTunes database that was actually comprimised. And you’d have to be very stupid to fall for an iTunes phishing attempt.
More than likely, iTunes wasn’t “hacked”, it was probably just exploited. Wouldn’t be surprised if it was a web service somewhere that didn’t require to authenticate to purchase, just an account ID hash and the App ID.
If one existed, the attacker could just script mass guesses on account IDs for their apps. Inevitably they’d get a hit.
No, thay actually get access to the account , since they changed my account settings to chinese language and chinese appstore…
I have been trying to draw attention to the Apple ID hijacking issue for over a year. Mine was hijacked back in June of 2009. I documented the problem on my blog in two posts. Even back then Apple said they were “looking into it” but people’s accounts are still regularly hijacked, whether on a Mac or PC.
My Apple ID was hijacked after trying to join the Apple Developers Connection. Within hours of joining, I found myself locked out of my iTunes account.
The issue isn’t really iTune fraud, that’s only a “symptom” of the real issue. Apple’s method of changing a password is too easy. Security questions, can be all too easily figured out in this day of blogs and social media. Apple needs to go back to eMailing the registered eMail account with a link back to a page to change usernames & or passwords.
I was not the first and certainly won’t be the last.
The entire story can be read in these two posts.
http://go2jo.us/c7pJOZ
http://go2jo.us/b1twSJ
Is the Apple Developers Connection running on akamai IPs or is it on apple IPs? I really do not like the redirect of http://www.apple.com to akamai hostnames.
Btw Joe, do you remember the original Apple Dev Connection, with the six steps modem call from the Apple Plus?
Funny …. I never even thought of that. Even though the ADC & IDC logins are https … are they being redirected to akamai? I would say that’s a good “in” for someone “sniffing” the stream. Either that or the paranoia level’s getting mighty high in here! ; )
Though an old fart(?) and long time Mac user (1986) … I’m kind of new to the ADC … and more a wanna-be than programmer.
If you’re running over HTTPS, the sniffing the packets are useless.
This is way more widespread than Apple would like anyone to believe. My account was hacked in March of this year, with over $800 charged to my credit card. Take a look at http://garysaid.com/is-my-apple-itunes-account-hacked/ for an interesting read.
My Belgian account is compromised this weekend with 30 purchases for each 80€ (same app), totalling 2400€ (3000$).
Blizzard Activision has been recently experiencing a large number of World of Warcraft account breakins. My account was busted into, and they did the usual thing of selling all the components and attempted to coopt the account for as long a time as they can (Blizzard can take a while to resolve these matters) by assigning it THEIR authenticator. I am frankly not sure how they broke into the account; the usual suspected method is by Phishing, altho brute force approaches aren’t out of the question.
One of the things going on is that Blizzard has been moving customers to their Battlenet system, which uses email addresses. In the past, I just used an an unpublished name for the account names, but now the bad guys can see email addresses being used on the web to target phishing and brute force attacks. You really have to use an unpublished (aka unused) email address for this kind of thing.
I raise the point because these people are very successful in breaking into WoW accounts. The same people may be targeting iTunes accounts by creating bogus vendors and attempting to route monies spent on iTunes App store products to the bogus vendor, who happens to be them. This works if nobody notices for a while, which is the exact same game they play with WoW accounts. They use them until they’re kicked off.
So there are a couple issues here: People aren’t noticing that someone is spending their money on their iTunes account; Apple has to do a better job detecting retail process anomalies; Apple may want to consider implementing an authenticator mechanism for the iTunes store, I downloaded mine free for WoW; Apple needs to feedback transactions by email “louder”.
Unlike a few people commenting here, I think Apple has excellent people working on addressing the problem. I expect their legal counsel is very hard at work. (I also think that Apple engineering doesn’t work during 4th of July weekend.) Considering how widespread successful operations like the iTunes store are (that is, there aren’t very many) I think Apple will nail this problem with the seriousness it deserves.
Just for completeness, Apple has had bugs and security risks in iTunes in the past :
http://www.computersafetytip.com/apple-released-itunes-v81-as-security-update.html
Subscribing to a podcast could reveal your password and account information. This just to illustrate that all those people yelling “it’s their own fault” overlook quite some history that is – obviously- kept as quiet as possible by Apple, but nevertheless exists.
Please use accurate information when summarizing a link. Subscribing to a podcast does NOT expose your password, nor did it ever.
Subscribing to a Podcast allowed the Podcast Server to send an authentication request dialog to the user. It still does.
The fix is that the dialog now tells the user it’s the Podcast Server making the request for userid/password, not iTunes. Malicious podcasts were using user confusion to access user passwords (request Password, user thinks iTunes, podcast server receives user/pass that user entered in).
Thanks for the correction.
Still, it’s a security leak on the Apple side, as there were many others, including those where malicious code could be run on an OSX system. See the security updates of Apple themselves.
That was my main point: it’s not always the user side that makes the mistakes.
My Itunes account was hacked yesterday (7/6). They spent almost three thousand dollars! On what, I have no clue. Although my bank is working with me, my account is now in the hole and in limbo for the next five to seven days. I had what was considered a “strong” password so I thought I was safe. Lesson learned. Just in case the person who did this gets their kicks reading comment sections……I am not some nameless, faceless person in cyberspace. I am a human being who lives check to check like most everyone. I have bills to pay. I work hard for my money. Leave me alone. Leave everyone else alone. You want something, get your backside off your computer chair and go EARN it!
How do people normally buy apps? Through their phone, right? So what if someone were to write an app that does keystroke logging, or something else to buy apps from the phone as if the user is buying them? Change your password? The rogue app will know about it.
I have to say I agree with most of what Tom Davenport has said thus far. There has been little information about the total number of hacked accounts (which we will likely never know) and the duration of time in which these accounts were compromised. The duration of time in which these accounts were compromised in is rather critical information. If one of the previous postings data is close to accurate by stating that approximately 10% of these hacked accounts have been reported here. This is only but a small fraction of the total iTunes user community and I would suspect again as another posting mentions more of a Phishing style attack rather than a mass account compromise similar to that which has plagued World of Warcraft as of late.
Again a few points which were missed but are critical include the reasons why being more specific in stories like this are so important. What it really comes down to is intention. If the intention is for any site to be taken seriously when it reports technical or security related issues then they must ensure the right verbiage is used. If the wrong verbiage or incomplete verbiage is used and you claim to be a technical site don’t be surprised when those people who are technical complain a bit.
Apple has officially stated only 400 accounts were affected… judging by reports to PC World and even an EDN editor got hit, I’d be willing to bet the actual number is 10x or more higher than that. Perhaps only 400 accounts were involved in the one attack, but others are occuring which Apple is not acknowledging.
The two erroneous charges in my card have already been reverted by Apple, after a week, without need of notifying the bank. I hypothesized that these charges were due to mistakes of a human operator under pressure the 29th, as one of them was clearly a visual mistake looking at some row/column in a table. During all this time, apple did not acknowledge any mistake in its side, but it was cured anyway, so I guess it was reported and cared of.
My ITunes account was hacked. Not only did they make purchases by they changed my passwords and my DOB so I couldn’t get to the support screens. I emailed support right away. Got a “..We received your email…will contact you soon” response the next day, but haven’t heard anything more in three days.
Account hacked overnight. 120 charges of $9.99 to iTunes for WhistlePhone app, for a total of $1200 while I slept. Apple did nothing. I changed password and called bank, who opened a fraud case. PITA.
My account was hacked, and my CC was used outside of the iTunes store as well as inside. The inside purchases were not shown in my history. The symptom of the hack was repeated requests at the iTunes store to enter my password – every 20-30 seconds or more, without my taking any other actions, and then suddenly several times my account page showed up without my requesting it. The next days, the illegit charges appeared.
It just happened to me today! I had two purchases on my account, both around $40, that I did not make. Both purchases included apps from Asian developers. I contacted Apple, and I was lucky enough to actually reach someone on the phone who took the issue seriously and cancelled my iTunes account.
Does this junk work?
HEY Zee, your comments section SUCKS. Very hard to add a comment here.
” the Apple App store is filled with App Farms being used to steal.”
The ever “Secure” Apple will keep you safe from hacking, LOL. Now don’t tell me that anyone else but apple staff wrote the app store. I think I’ll stick with my windows 7 and Microsoft store.
@BeeeBeee This is probably one of the easiest sites to post a comment on, of any site on the web. Maybe you should try a real web browser, instead of IE6,7 or 8…. eh?!?! :P
I recommend either new Safari, Opera, Chrome or Firefox! :D
btw… you missed all the action on this website. So if you’re looking for some 17yr old female student to beat up on over her iTunes account, Apple’s already taken care of her problems. So move along and take your demented Balmer chair throwing mentality with you!!! ….you know with his “Remote Code Execution” Operating System! ;)
Oh? You mean like Safari that was the cause of the first computer being hacked at the PWN to OWN contest in two minuets. Yeah, that sounds like an improvement. Oh, and has Apple fixed the issue yet? hmmm….. You might want to take a look in the mirror, because in this case it is pot meet kettle. If you believe your mac can’t be hacked and does not contain vulnrabilities you deserve everything coming your way soon since more and more hackers are turning to hacking Apple where supposedly all the “Rich users” are. Good luck.
haha…. Dave you crack me up! :P ….yeah, but I’m just including Safari because this is all about Apple and their users.
But…. I still only use latest beta trial ware IE 9 sparingly. Only because it does not have the features of browsers like Chrome and new Firefox 4 beta. New Opera has got all IE versions beat too. Sorry! :D
btw… don’t see the awesome comment from you I was notified of. Where is it? :O
Impossible, Apple doesn’t have security holes. It must be someone else’s fault.
Yeah…. they already announced that it was AT&T’s fault! ….you know cuz you know….. all the dropped calls have been their fault too, so why not blame the antenna design and iTunes scams on them too! :D
Thank you for posting this. My account was hacked on June 30 ending on July 1 when I caught three large purchases made via the World War app. My bank is dealing with the issue, Apple’s support sucks. I did not believe at the time that it was a problem with my password being compromised, and am furious that the best that Apple’s support could do was to send me a form letter with a link on how to make my account more secure. When the complaints began to roll in, Apple should have disabled their store to put the breaks on the problem. I have zero confidence in Apple and even for their apps. And with Apple keeping silent, how do I even know if there is a rogue app on my device? I’ve removed all of them and I’m counting the days until my contract expires.
Agreed. I was hacked on the 13th and its been ongoing with Apple whose “support” is both arrogant and sucks. Paypal on the other hand has been really great: but as of today I still am missing about 500.00 from my checking account, but assured these will be reversed. Paypal folks told me Apple is doing a re-guard action to disseminate a small number of problems (400 or so) well the fellow I spoke to today at PP said he had to handle 160 cases himself in the last two days. Apple got slammed and they will not stand up and tell folks that I-tunes is utterly compromised.
Starting to get worried about all this hacking. Are we really in danger or is this just all media frenzy?
I just got hit by the World War fraudulent in-app purchases for “honor points” yesterday to the tune of $1049.93. They were not piggy-backed on other orders, appeared as 7 separate $149.99 purchases. Use mac and iphone only, WPA protected wifi, strong password, savvy about phishing.
I had some piggy backing on a legit order as well. My credit card company rep. had never heard of that one. I had a strong password and logged into my iTunes account on 6/25 for the first time since 2008. I had 0 virus, malware, etc. on my PC. I have purchased numerous items online since this on different credit cards…no fraudulent charges have shown up from other vendors.
My iTunes account has been disabled. They keep emailing me to re-establish my account asking how did we deal with your issue? No new password will not be forthcoming!
Make that 401 accounts. My iTunes account was compromised 2 day ago by a malicious app running on my iPhone. Not enough room here to go into all the details, but sufficient to say that the Malware embedded in a “legitimate looking” app downloaded another app unbeknownst to me which immediately made a single purchase in the iTunes store. Sort of a trial run, I guess. The software laid dormant for about 10 hours, then proceeded to make 25 additional purchases from the iTunes store for exactly $64.93, all in the space of 30 minutes. Thats over $1600. I’ve only made ONE previous purchase from iTunes. Shouldn’t this have raised a red flag. Guess not, because the sale proceeded directly to my PayPal account, then directly to my Credit Card and Bank Account. JPMorgan Chase Bank fraud police shut down the transactions to my Credit Card after 7 transactions (at least someone is paying attention), but the next day, Paypal ran the charges thru my secondary payment option, my bank account, because they looked like legitimate charges from a “verified seller”. Long story short, the iTunes store did issue a Reversal of the charges to PayPal, now I’m waiting for the money from my credit card and bank account to settle in PayPal so they can issue me a refund. The folks at JPMorgan Chase Bank and PayPal have been very helpful. Apart from their initial “got your complaint” e-mail, Not a peep from Apple and it’s now 52 hours into their 48 hour response. Guess their too busy sweeping this fiasco under the rug. Oh yeah , that thing about changing your ITunes password…what good is that going to do if the MALWARE is running on your phone waiting for you to download another App where you HAVE TO TYPE IN YOUR ITUNES PASSWORD. Changing your password is a waste of time. And before the Apple dumpling gang starts attacking me…this was a brand new 3GS iPhone (my old iPhone broke 2 weeks ago) running the latest OS4 (Hmmm part of the problem? TSR programs & malware running in the background? Where Task Manager when you need it?) and iTunes 9.2.0.61. I own Macs and PCs and I love my iPhone, but Apple has a real problem with their App screening and a bigger problem with customer service.
Ok, so I took ALL information off Itunes. Changed password and unauthorized all computers. Filed fraud complaint with the bank, got new debit card which is NOT on Itunes. So someone please tell me HOW this could happen to me again?!! They spent almost $1500 this time. THIS time because yes, it’s the SECOND time in ten days!!
Kathi, I assume you mean you changed your iTunes account password. That’s the first thing Apple will tell you to do. That won’t do a thing to stop the attacks (are you listening Apple? If I’m wrong I’d like someone from Apple to explain how I’m wrong). If the Malware is already on your phone and running in the background (thanks to multi-tasking ability in OS4), the Malware is just waiting for you to type in your iTunes password when you download an App or a song or just update an existing App. Type in password, Malware’s got it and is heading straight for your pocket book!
I have 2 iTunes accounts that I opened at different times. It’s interesting that they have different payment options. One account has 4 credit card choices and NONE. (I’ve selected NONE to prevent unauthorized purchases). The other account has 4 credit card choices and PayPal. NONE is not an option. This is the account that was attacked to the tune of $1600 by running the charges thru PayPal. What’s dangerous (and was probably OK’d by me when I signed the 1,584 page iTunes licensing agreement) is that when an iTunes charge is placed thru PayPal, it’s not necessary for me to enter my PayPal password. The charges just go straight from iTunes thru PayPal and straight to my credit card or bank account. The following solutions is directly from PayPal and is the only way to stop iTunes charges…
1. Go to the PayPal website and log in to your account.
2. Click “Profile” , Click “More Options”
3. Click “My Approved Payments” under Financial Information.
4. Find the merchant whose agreement you want to cancel.
5. Select the merchant’s name or email address.
6. Click “Cancel.”
Hope this helps.
Thank you for the information. After so LITTLE help from people involved with my money, it’s refreshing to see someone somewhere is hearing me. Here’s the thing. I don’t have an Apple phone. I can’t get on the web, or even so much as text with my phone. I did everything Apple suggested after the first fraud. Bank said file a fraud report with police against Itunes, so that’s the next step. I plan to take all the condescending Itune emails with me when I go file.
You should put blocks on your Paypal, Credit Cards and bank accounts being accessed by iTunes. They are all responsible for any illegal transactions and are more than willing to help you do this over the phone with support calls!
Actually I’m beginning to suspect that Apple has a greater problem inside the company. Those agencies they contract with to operate their services could be stealing account info. It could be linked to some security breaches within the company itself with it’s own employees. Unscrupulous former employees or even present employees could be involved!!!
…but yes by all means pursue the complaint process with police. Also the banking and credit card companies against Apple iTunes can help by refusing to fund any transactions from iTunes!
I have today had 7 fraudukent ourchases in my account
This is so silly, if you’re abroad (outside North America), you sometimes cannot even log in to your purchase history! How in the world is one supposed to check for fraud if this happens again?
As an aside, I uploaded an App to the App Store in mid June.
It still cannot be found using Keyword Search.
Although if you type the app name it can be found.
More over though, I know there have been purchases made and ratings placed. But it shows no purchases, and my account shows no sales. Apple Support is less than responsive and I’m angry….
Anyone else experienced this ?
I discovered yesterday that my iTunes acc’t was hacked between July 13th and July 16th.
I love Apple! But they don’t love me. They are not being helpful at all. This is a rude awakening.
FYI, I just got hit by this hack this morning. (08/03/2010).
I do not own a windows computer, I use only Macs … and I never buy apps via itunes on my computer, I always buy them via the app store on the phone.
I’m a security guy by trade and have Anti-malware installed on all my Macs. I believe the compromis of my account happened on Apple’s side of the equation.
Still waiting to hear if I’m going to get my $130 bucks back.
The simplest thing is, “Don’t use iTunes. ever, for nothing.” When you d, you’re surrendering control of your media to Apple. Do you think they have your best interests in mind? Or maybe profits and enforcing DRM whether it’s right and fair or not? Use your hear for something beside a place to wear your cap backwards.
First, do you think any corporation has your best interests in mind? No. They have the best interests of the shareholders in mind. The consumer is second.
A few years back iTunes converted most of their songs to iTunes Plus meaning no DRM (they had two levels and then purchases all went to iTunes Plus).
As for using my head (I assume you meant “head” and not “hear” – oh the irony) for something other than wearing my cap backwards… do you mean I should be wearing this stylish Aluminum foil hat like you?
am a hacker from the uk i have over 2000 itunes accounts for sale 30 uk pounds for 1 or 5 for 100 i only sell login email and passwords for itunes email me semtexx@hotmail.co.uk
Okay, so I got hit by this yesterday and lost more than I have read about so far…a total of $1,633 all in increments of $163.30 to some World War app….PayPal is investigating and my bank needs to wait until the charges stop pending to take action. But the more I look into this matter, the more depressing it seems that nothing will be resolved. I am a student; needless to say, I can not afford to have something like this happen…neither words nor actions can express how mad I am.
Kai, I got hist lsat week and Apple has agreed to refund my money. Definitely do all of the things listed in the “what you should do” section of this page. Also (if you haven’t already) use the “report a problem” option within itunes when viewing your purchase history there.
After about 48 hours (since you reported the problem as many ways as you can), start calling and talking to human beings.
The Apple folks were surprisingly helpful when I talked with them.
Good Luck.
I got hit last night 11 transactions for the same “World War Desert Edition, 2700 Honor Points” app after tax they are $162.36 for a grand total of $1,625! I am a student that works full time and I raise 4 kids, I cannot afford this! I tried to call Apple, only to be told that iTunes does not have a live billing rep, and that I need to fill out a form online and send it in, and that I would be contacted within 24 hours (online after you fill out the form it says 48, what liars they are!) so, I did that. My iTunes is (was) linked to my PayPal account, I changed that very quickly! I also have PayPal investigating. My bank says they cannot do anything until the charges hit, but I do not have that kind of money in the bank! It does not seem to me that Apple is doing anything constructive about this if it is continuing to happen! I am not thrilled! I almost never use iTunes, I don’t even really know how. I only have an account for my daughter’s iPod Shuffle that her Father bought her for her Birthday last year, which at the moment is sitting on my bathroom counter with a dead battery… Oh, I am LIVID!
I find several issues with this post. According to apple you can’t buy 2700 Honor Points for World War Desert Edition (http://itunes.apple.com/us/app/world-war-desert-edition/id375880176?mt=8). Besides that the most expensive in-app purchase is $99.99.
Secondly, 162.36 * 11 = 1785.96.
Finally, if this is a legit issue, I’d suspect it was one of your kids.
I can confirm that she is not lying and I do not see what kind of basis you could possibly have that it was one of her kids, considering there are countless other cases about the same exact issue.
Myself included – http://i216.photobucket.com/albums/cc133/wooooooper/itunesfraud.jpg
As for Faith, I understand what you must be going through since I went through the same just a few days ago but try to keep a level head, my bank actually reversed all the charges after they were done pending and PayPal finished investigating after 4 days. It worked out in the end for me as I am sure it will work out for you too
Best of luck
Thanks for the screenshot. The other accounts I could believe.. but there seemed to be many holes in Faith’s story.
Thanks for the screenshot though.
As for blaming the kids, this comes from working in the cell phone industry. Don’t know how many times I’ve heard the “Someone must be hacking the cell phone cuz my little johnny/suzie wouldn’t dare send 900 text messages in the course of an hour .. especially not 4 months in a row” … or “I never authorized these charges for voting for American Idle and I’m sure wouldn’t have either”.
I also have a friend who’s child purchased $100-$200 in apps on iTunes thinking (or not as the case may be) they were free…
tl;dr: kids do stupid things & parents don’t believe they’re capable of doing so.
It is perfectly understandable to blame the kids, it is actually the first thing I would ask too when someone is claiming fraud. If not for my case being exactly the same then I would probably have thought the same thing.
On a side note…there is an alarming amount of people who has suffered from this and not enough people reporting how they resolved it. It had led me to believe that neither PayPal nor Apple would ever reverse the payments but that is not the case. I also forgot to thank you Dave, for pointing me in the right direction.
– To those who have been hit and are panicking due to a lack of “success stories,” simply take the necessary measures in reporting however which way possible. Open all your PayPal dispute cases, e-mail Apple and try to project just how much this has ruined your life since it is after-all a serious matter and a e-mail at that and the last resort would be to tell your bank to reverse the charges because once they reverse it (and they will do it right away after the charges stop pending) they will issue a message to PayPal and PayPal will suspend your account, as well close all cases regarding to the issue. This would not really be a problem but they replace those cases with new ones and it would take a longer time for them to investigate.
I don’t have kids. I also don’t have a smartphone. I do have a few hundred dollars missing from my bank account, and another hundred in overdraft charges due to 23 Apps, songs, ringtones, and audiobooks ordered through my iTunes account. don’t be so bloody arrogant.
Yes it is possible.. would you like to see my email where they charged me for the same app today and attempted to charge the account 2 more times but were denied. Luckily it was a account not used much and only contained a limited ammount of funds.
the kids issue is also not valid as I only have 1 PC that has itunes or any form there of and it has been in storage since August 1st because we moved and do not have desks set up yet. We do not use iphones or pads or anything else because we hate apple :)
I am lucky as my bank is handling everything and only 1 transaction which was 162.36 is being fixed.
I purchased Wurdle for $1.99 for my iPhone through iTunes on July 25, 2010. It was my first purchase through iTunes since last November. I had to verify my account information, enter my password and bend over to Apple’s terms. That afternoon, my credit card company called asking to verify a recent purchase of $1. This didn’t make any sense because my original purchase was for $1.99. The Visa account rep said Apple will charge $1 for handling the transaction, then once the transaction is complete, credit your account $1. I confirmed that I had made a purchase through iTunes earlier that day and all was good. However, the account rep said, “Hold on!” Did you also make a $83 purchase to Strawberry Cosmetic in Hong Kong at 5:32AM. “Um, no!” right then, my credit card was cancelled and I was issued another. First time for every thing. Guess I was lucky it was only $83 and the credit card company is not holding me responsible.
I got hacked on August 11th. Damages were a few cents short of $1,813. same as some of you guys. $149.99 In game credit purchases for the game “original gangsters rock”. along with a bunch of movie downloads. And I don’t have any kids or own an iPhone anymore. Switched to Droid in April.
Also to make sure to cancel any PayPal billing agreements in your PayPal account in your Profile section. Profile – More Options – “My preapproved payments” under FInancial column – cancel the iTunes agreement.
http://www.facebook.com/mansuper360 hack my facebook if u really pro hahahahahaha….my facebook is cool
http://www.bluestaffsy.co.cc
Heloo how to connect account with iPhone I don have a credit card to review… Please help my
Ok I don’t get the all hacking stuff can somebody help me
This just happened to me. Thank god I only had about $13 left on my giftcard and thank god I didn’t not put my credit card information on my account.
I sent Apple an email just a few moments ago. Hopefully, I’ll get a refund.