iTunes store account hacked

It appears to me even more similarities between customers include some of the following:

- Apple blaming the user for 'accidental purchases', not dealing with the problem as a hack or calling any of this a 'problem'; moreover claiming each person is having a unique and undignified exclusive issue.

- A few particular 'apps' (never music?) are commonly abusive ways of ripping off people.. like a poker app in particular or some odd ball game ones I wont give free advert to.

- The Apple so-called 'support services' email-based overseas spends little or no time at all reading the emails. (Seriously, can they even understand the language? The responses are so off base all the time). Doesnt matter if you have CC action numbers to include, or an FBI file register number on a detailed accounting, they respond with a step by step script that have nothing to do with anyone's particular case at all. It is never helpful, never supportive and never 'solves' the problem. I did far more in proactive and reactive action than those talking heads ever outlined on the emails.

- Unless people are not mentioning crime activities using their CC OUTSIDE OF APPLE, it appears to me this crime is being committed only WITHIN the Apple system and confined to the limitations of either the gift card or C card limits/credits. Its almost like they can freely and easily access ANYONES iTunes/Apple ID account and purchase Apple things, but they cant do anything else outside the system.

So perhaps in fact the CC info is actually protected, the use of the system that automatically BILLS this information ISNT.

Why arent limits used to the max on something really worthwhile like a car or jewels or goods? Why crap apps like a poker app, that clearly is being exchanged for money in a commerce like way, but nothing that shows abuse being turned into hard currency that can be used on anything a crook would rather prefer to have?

Why?

Im asking why here because Apple is REFUSING to discuss or deal with the problems at all (just shut down and refund), no one is considering the oddity of it, and no one but the victims seem to be addressing the problem as anything but 'irregularities'.

My CC appears to not have had a single debit outside of the Apple problem, months after the initial abuse. I am not going to 'get another CC card' as Apple pretends is the solution.

I believe wholly the problem is an inside flaw in iTunes accounting, Apple's system of commerce, or otherwise an inside job. There is no other logical conclusion when it is confined JUST to the data they are storing in their commerce data banks.

"Apple shall not be responsible for any losses arising out of the unauthorized use of your Account."

This part of one of their EUA's says it all. At no time does Apple ever seem to outline any accepted responsibility to anyone for anything; they put all losses, problems, issues, debts and hack attacks on the customers' shoulders, is how it reads to me.

This being stated up front, I now will learn to live without ANY Apple product or service that requires me to leave sensitive information with them that can be abused against me, as Apple has written clearly they do not want or have to protect me or solve any Apple-related problems that affect me. A secondary approach might be to take the existing account that doesnt have the CC stored with Apple, activate it with CC data ONLY for the few minutes it takes to get a purchase done and a PO number from Apple, then withdraw the CC data immediately after.

Heck of a hassle and complex way of doing business for just a dollar song or app, but obviously necessary.

Oops, just to clarify my post. Turns out I never added my cc on file to my iTunes account (yay) and the hacker just cleared out the gift card balance. I got the refund, a one time exception as stated by the copy/paste response. Good thing I don't make any app purchases and only a rare song purchase since I only have an old 5th gen ipod video.

I agree with Brad's thoughts on this. I have already uninstalled any app that stores any personal info or ties to personal info from both my iphone as well as itunes as well, because my entire exchange - plus this thread - has shown me that Apples security is not anything to have trust in. I'm not sure which part is breached where, but I'm not taking any chances with anything being exchanged between my iphone, itunes, and Apples databases.

For anyone new to this thread, you will more than likely have your credit returned by Apple. I suggest spending it as soon as you can, as much of it as you can, to protect yourself from having this type of attack from happening again.

I have the exact same problem. I just checked my itunes account after not using it for several months and found that my accounts been changed around to towson MD and the game kingdomconquest was bought.

I called a rep but they weren't really helpful. They just kept me on hold for a long time and kept sending me to different reps who all said the same thing...and sent me to another rep.

I'd like to follow up on my experience, i filled out the form on the support web site, next day or so got a response, and got back to them on the weekend. Not counting the weekend where i'm guessing they weren't working, it only took a couple days to refund the amount, lock the account, then have me verify it was me, reopening my account. They didn't imply it was "my fault" for being hacked, a little sad about the 'one time only' thing, as hopefully it won't happen again, but concerned if it does i'll be out of luck.

Same Happened to me. Added 50€ Giftcard last Weekend. Today Received two Bills, dated mai 16th with 34.99€ and 2x 6.99€. Both are for in app purchases for kingdomconquest, which i Never Downloaded myself.... The other Thing is that my cc Information has been removed from my account.

But interesting to see that it is Happening to others too recently, Looks like there is some seriuos Bug in the billing System...

Filled in the Support Form, Hope the Money gets refunded by Apple without Problems.

Regards from Austria

Ps: Sry for the Bad spelling, **** German autocorrection ;)

So I have had two attacks this week:

On Monday, the usual poker suspect came in and emptied my account(about $50). I emailed Apple and they replied with your account has been disabled, change your pass, we will refund you, etc. I hadn't gotten around to restarting it, and the same thing has happened again. This time for $25, but the account only had less than a dollar in it I think. So the account wasn't even active when it happened. And might have been empty of cash before it happened?

Ditto. Birthday gift card? Used. Additional charges made to my account? About $40.00. This is seriously unacceptable. I was lucky(?) that ANOTHER thief who was altogether stopped had recently tried to use my card, so I had it replaced. The one on iTunes was inactive. But now iTunes is holding me responsible for the unpaid theft. Trying to get cust. service to wipe the excess fees, even though my gift card money is likely gone.

I also experienced the KingdomConquest hack this week. Gift card balance was drained within hours of applying it to the store, and my credit card info was removed from the account.

Emailed apple, waiting for a response.

In the meantime I've followed the usual prescriptive advice:

:changed itunes password

:changed security questions

I don't have 5 authorized computers, so I can't flush them all until support gets back to me.

Whats bugging me is the anatomy of this hack. Setting aside the question of how did they get into my account: why? The app appears to be legitimate, from Sega. My gift card balance was exchanged for in-world currency, which according to Sega's documentation can't be transferred between players in-world. So I don't really understand the point to stealing my money to fund an MMORG on a cell phone when the theft would be discovered with a day or so. Am I just missing something, or is there a vulnerability in this game that people are using to exchange in-world currency for real world cash?

Try this trick! If you have access to several more computers - work, friends, relatives, etc. log into your account on each one and authorize the computers. Then you can delete each one you need to. It's simple, and can save you time!

Honest to G's truth, exactly what did you say that has anything to offer to the discussion of hacked accounts, solutions to being ripped off, or is helpful to lusid's accounting whatsoever? "Try this trick!" smacks of a spam email approach, to be blunt.

It disappoints me that the correlation between the rising popularity of the Macintosh platform to the lowering of knowledge and overall quality is becoming so blatant. That includes the increasing number of so called 'secure platform incidents'. This is not the Macintosh sphere I know from years ago.

"I don't have 5 authorized computers"...

READ THAT QUOTE. It means lusid has computers he/she cannot de-authorize, even if this was some sort of 'magical de-authorization technique', which it isnt. Waiting on Apple to get its head out of the sand to this very very common and re-occurring problem is all he/she can do at this point.

And exactly what 'time' over what efforts are you supposedly 'saving' lusid? None. If you like copy-pasting irrelevant support suggestions from elsewhere, I suggest you apply to Apple as an Indian support specialist, as that is the quality of response they give and the kind of person they obviously are looking for.

Nothing personal, but there is also no need to remind me how obviously LIVID a response I am giving...the current state of 'lack of security' affairs being experienced through the Apple data base infuriates me; it only grows with every addition of yet another victim's accounting. I can applaud your eager but ineffectual help only based on intent, not on content.

Apparently no one but the myriads of victims of these crimes are considering this a serious situation!

I'm wondering if the removal of out credit/bank card details is something apple has patched when they notice this happening. Either that or the hackers removed it...

Apple won't acknowledge it because of the impact it would have on their brand image.. I think they have a duty to warn people though as there is a serious loophole here making our personal data vulnerable to such attacks..

Wow, Brad. If you weren't so ignorant, I would be offended by your post.

The tip I described was told to me by an Apple rep. The problem is you can't deauthorize a computer on your account, even if it was done without your permission, until you have at least five computers authorized. You just authorize several more, until you hit five. That's where friends, work come in. Once you have five, then you deauthorize all but your personal computer, including the bogus one. Please reread this statement. Five is the magic number where you can deauthorize any or all of the computers on your account! This gets rid of the bogus computer. The rep said it may help keep the hackers from accessing the account again, since their computer is no longer authorized on your account. That's why I posted it here, to possibly help people from being hacked again. That should make this tip relevant.

The time saved is from getting rid of the bogus computer yourself. Apple won't do it, unless you are persistent. This can take several days. You could take care of it yourself in an hour.

I do take this problem seriously. I was ripped off for $22 from a gift card, which is a lot less than many people who have posted here. Apple did the right thing and refunded the money. The rep was very helpful and I got some good tips from him. That's why I pass this on, so people can take care of it quickly. If you read all my posts, you can see I've helped several people on this subject.

Also, I'm sure Apple is working to solve this problem. They are losing money, and the confidence of a lot of loyal fans.

I apologize for the short post last time. I should have explained it better so the people who haven't followed this full discussion will understand what I was referring to.

Thanks guys, but if apple is unresponsive I can easily spin up a hand full of VMs, activate them, then flush my activations. But you only get to do that once every 12 months, so I'd rather let support do it.

I'm much more interested in how the hack works. Like I said in my post, I don't see the upside for the hacker. But anyway.. the other interesting question is of course: how was my account compromised in the first place?

Side channel attack leveraging data from the PSN leak? Maybe, but doesn't fit the timeline of everyone else getting hacked. This appears to be systemic, and its been going on for a long time.

Rouge password stealing app? I'd buy this one (pun intended). I've been trying a lot of free games lately.

Leak inside apple? also high on the list of probabilities

trojan on my PC? not likley. Enterprise grade AV/antimalware in place, and I rescanned everything just in case.

Firesheep'd at a starbucks? I don't know, is itunes access from an ipad vulnerable to HTTP session hijacking? Doesn't seem to fit.

There has to be a pattern here. I'm just not seeing it.

I'm guessing the removal of the credit card info is something the hackers are doing to minimize risk. The credit card companies are better equiped to track fraud than apple. And stealing credits from the apple store is less likely to get law enforcement attention than stealing from credit card companies.

Just a guess though.