iTunes store account hacked

It's getting worse, not better. I received this reply from Apple. The problem is, I'm not Josh. EVERYONE, please contact Apple iTunes AND security about this problem. Just because you get your $10 back isn't going to help solve this problem. Here are the links. DO IT!

iTunes

Security

Dear Josh,

Welcome to Apple iTunes Store Customer Support! My name is Raj and I am glad to assist you.

I understand that you are concerned about the purchases made with your iTunes Store account, "xxxxxxxx@yahoo.com" without your permission or knowledge.

I can certainly see how disappointing this could be. Please accept any apologies for any inconvenience you've experienced, as I know how concerning it can be to deal with such issues. customer reporting unauthorized charges.

It appears that your account has already been disabled to avoid further charges. Please note that you can enable your iTunes Store account in the future by providing specific information to iTunes Store support, as described at the end of this email.

I also understand that you are concerned about the safety of your personal information in regards to the iTunes Store and the App Store. Your privacy is very important to Apple and we take numerous precautions to safeguard your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction.

Lakoo - Apple are you listening? Look into this dev. please!!!

I was just burned on the weekend, the rapid succession of emails (4-5am) about my account details changing, then purchases made from a device not previously authorized. My CC information has been removed from my account, nothing else was altered.

My $30 iTunes voucher cleaned out, am now down to $0.07. What's annoying is the fact that when i read the reviews of the app in question, there are about 5 that state the very same issue. Hacked accounts and false charges! If this happens multiple times for the ONE app, then why isn't something done by Apple?

http://itunes.apple.com/au/app/id371613788?mt=8

This is the 2nd time i've been burned by hackers, 2009 and now 2011. Same issue as last time, account details changed and apps purchased totaling $72. 15 emails from Apple, full of "i understand your concern..." etc. Talk to me like a HUMAN, not a robot. Same e-mail 15 times over, same response with a minor change in content. Took 3 months to have my charges reversed after getting my bank involved with Apple security, SUCH a hassle.

The annoying thing is, the emails from Apple make out as if WE are the ones in the wrong and don't really take the time to understand our concerns. Am i sure i didnt change my login? Am i sure i didnt make the purchases?...of course im sure! I dont spent $72 on apps just released with NO reviews, NO ratings, both games by same developer...join the dots Apple. Good to see those two apps dont exist anymore 'iCool' and 'iFruitShow'.
"The iTunes Store cannot reverse the charges." This was a 2009 email so no idea what the current stance is, but how easy of Apple to wipe their hands clean of any issues when they arrise.

I ditched Apple in 2009 because of this, refused to have my CC on file with them. Now its reared its ugly head again and i refuse to put my CC back on file AGAIN.

There are no numbers to call. But you can at least contact Apple on both these links and voice your opinion. They do read these. They aren't support, they are feedback. Copy these and post every time you reply to this forum. There are even more forums covering this mess.

The contacts to Apple have been listed over and over.

START USING THEM!!

iTunes

Security

I got hacked last night and all 110$ has been drained out and they bought this

Original Gangstaz, 3000 Street Creds, Seller: Addmired, Inc
Report a Problem Addmired, Inc In-App Purchase $99.99Subtotal:$99.99Tax:$0.00Order Total:$99.99

I dont receieve any help from apple yet

just my account is blocked and retrieve the password !

This is appauling .....

My all the money has been gone :((((((((((

is there a way of getting my money back .... ??? pleaseeeeeeeeeeee helpppppppppp

yep, hacked as well. I asked someone on support chat and they directed me to an email form to give to Apple:

http://www.apple.com/support/itunes/contact.html?form=account&topic=iTunes%20Sto re%20Account%20and%20Billing

I just filled it out, so they haven't had time to read or respond to it yet.

Honestly, i would love to know how to lock down my iTunes account to only allow specific devices to do anything with my account. This would at least limit all liability to only my specific iPhone that I have on my hip or the computer on my desk.

I just got this response from Apple. It seems they have softened their stance a bit, but are still denying it isn't their fault at all.

Dear William,

Welcome to Apple iTunes Store Customer Support! My name is Raj and I am glad to assist you.

I understand your concern about the security of your account as this is the second time that fraudulent purchases were made on your account. I know this must be frustrating. I will be glad to share some information with you.

There are many different ways that your information may have been obtained. Your information can be obtained through programs from trojan viruses from websites that you visit, which steal your personal information from your computer when signing into an account. Some information may even obtained through your actual email account.

Another possibility is what we call "Phisher" sites. These are websites that are masquerading as the iTunes Store and prey upon customers asking them to enter in their personal information, such as account name and password.

To make sure that this does not happen again, you will want to scan your computer for any type of malware that may be present, be very careful about the websites that you visit, always sign out of your iTunes account and make sure that the password for your iTunes account is not used for any other online account that you may have (and also make sure that the password does not contain any part of your actual email address or account name either).

I know that this is an upsetting situation, and I can certainly understand your concerns, however I want to assure you that this is not an issue with iTunes Security.

The iTunes Store does take numerous precautions to safeguard your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction.

The following page outlines, in detail, how Apple protects your information:

Apple Privacy Policy;

http://www.apple.com/legal/privacy/

Whenever you make changes to your password make sure to follow some good practices to ensure you are creating the hardest possible password for any potential attacker to figure out.

Here are a few tips;

1. Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0', or try using '@' instead of 'a'

2. Randomly substitute in capital letters (i.e - aPplE)

3. Think of something you were attached to when you were younger, but do not choose a persons name. Every name and every word in the dictionary will fail under the most simple attacks used by hackers.

4. You should also use different username/password combinations for every site you use.

5. Since it can be difficult to remember a large number of passwords, consider using what is known as a password manager program. Often they can be found for free and they are designed to store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. Although I am not permitted to provide specific recommendations or endorse 3rd party products, I'm sure you will be able to find such software using any popular search engine.

Once you've thought of a good password, navigate to this website to find out how secure it is;

https://www.microsoft.com/protect/fraud/passwords/checker.aspx

* Notice the http(S) in the URL. This indicates the site is provided via an encrypted connection (meaning anything you send to it is done so using the highest standards in secure data transmission).

William, it is okay if you wish to keep your account disabled for some time, when you wish to re-enable it, please reply to this email with the following information:

1) The complete billing address listed on the account, and

2) One of the following:

- the order number of your most recent authorized purchase

- the name of any item you've purchased using this iTunes account

I hope this information will be helpful. If you require anything further, please reply to this email and let me know, I will be happy to see what more I can do. Take care and I wish you all the best.

Sincerely,

Raj

iTunes Store/Mac App Store Customer Support

This is an update to my previous post. I sent an email to Apple using this form:

http://www.apple.com/support/itunes/contact.html?form=account&topic=iTunes%20Sto re%20Account%20and%20Billing

The email was sent on Saturday. Monday at 3:38am, the gift card dollars were reimbursed into my account. I never actually received anything from Apple. They simply disabled my account and when I tried to log into itunes, it forced me to change my password.

That was it. short, easy, and prompt. Its pretty much the pattern for everything done with apple. I can't blame apple for what a hacker is doing. The hacker is the bad guy here, not apple. Apple didn't make me jump through any flaming hoops to get a refund or prove I didn't buy the app.

The lesson here is to simply use gift cards in order to limit your liability. I'm trying to learn from this and make sure that all online acounts I have are similarly limited in some way.

http://www.apple.com/support/itunes/contact.html?form=account&topic=iTunes%20Sto re%20Account%20and%20Billing

That's the best address form to use. Remember to check your spam box for replies.....as I just realised I had received 3 replies but they were all in my spam!******

Today I noticed that I have to pay Click and Buy € 158 because of 2 purchases of 79 each. My purchase history shows that they first downloaded 人人乱世天下 By RenRenGames into my account and made the in-app purchases of € 79 there. Oddly enough, my iTunes purchase history shows one purchase of € 79, and my Click and Buy shows 2x € 79.

Of course I tried to report these purchases in iTunes as shown here

http://support.apple.com/kb/HT1933?viewlocale=EN-EN

But when I get to step 8, clicking on Report a Problem, and the reporting form should be come up, the only thing that happens is that my browser opens the webpage of iTunes http://www.apple.com/nl/support/itunes/, like I have to instal iTunes first. When I do the same for another purchase I made myself (a music CD), the reporting works. So I don't think the problem is in my pc.

I already reported this to Click and Buy, and I will email this to iTunes costumer support too. For some reason I'm glad to see I'm not the only one affected by this fraud, because now I feel that we all have a chance to get this solved.

This happens still jan.2011.

Look at here: https://discussions.apple.com/thread/3031164?start=90&tstart=0

50.000 accounts have been stolen and the apple-members have not been informed!

That`s the problem...the same problem like at sony...but there the comunity was informed worldwide by dayly news!

It is a case of missing information from the supplier to the customer riscing developing sensitive individual dates by continuing the own business with collateral damage ("we have decided to refund in this individual case").

That is not fair...it is a cracy interuption of confidence between the supplier and the customer!

It seems the supplier has decided that it is better to make business instead to inform the customers about insecurities and the possibility of loosing sensitive individual dates!

I said: it is a scandal!

iTunes stolen accounts (for google and other services: tested: came at google at the second place...the main information was from jan.2011... ...and Apple thought it not necessary to inform or lock the account if there where no feedbacks to the information)...

...incredible!

How came 50.000 accounts to a chinese website?

I think, this is not a problem of individual insecurity.

Tell me!

Beside:

To take a e-mail as account-id is not secure course many people now some e-mail-adresses.

The e-mail-adress should stay in the background while the user should be able to name the own id-name by self.

For every payment there should be send a code-nr to the e-mail-adress to make shure that the order comes from the account-owner!

If there will be made no more securities like before i ain`t make any business with apple site anymore.

If you don`t tell me exactly how 50.000 accounts came to a chinese website...just the same like above.

Instead of Genesis`s Selling England by the pound i see here Apple and Selling people by account

If I google I can`t find "Apple" "and" "Selling people by account"...I wait.

I just got hit today for about $30. All store credit as I did not have a CC linked. Waiting for Apple to respond.

The fraudulant purchases were all apps called Sixjoy Hong Kong

------------------------------------

My iTunes account was hacked for a total of $41 overnight....seems like I am not alone!! Apple also emailed me realising a dodgy transaction as below;

---------------

Your Apple ID xxxxxxxxx was just used to make a purchase in 帝國 Online from the App Store on a computer or device that had not previously been associated with that Apple ID.

If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.

If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

Regards,Apple

---------------

My credit card was also removed from my account. I will now just use gift card top ups of $20 to minimize future issues.

I've had my iTunes account for several years and this is the furst time I have had a problem...I hope Apple do the right thing by me...

I do not understand what you are saying...When you upraded to the icloud, it required you to change your password in addition I believe it also made you change your Apple ID, but here is what i dont understand because in the post above you say and I bolded and underlined the part i dont understand:

Doubleshotlight wrote:

Apple is at fault because stores have a duty of care for the safety and security of its customers. Apple has put itself out to the world as a safe and secure place to put your credit card, paypal, and gift card information so it should be vigilent in protecting such information.

I don't believe Apple has lived up to this duty. Even if they are not responsible for the leak of this confidential information (which seems doubtful considering the masses of people with the same story and different payment methods and the specific stories of App developers that make purchases), I know for me, when my account was hijacked, the hacker changed my Apple ID and my email was never notified. Apple only has you confirm major account changes through the NEW email you imput and not through your OLD email. They should at the very least have a system in place to notify our real email when our accounts are compromised and make confirmation of such changes through your original email.

Since I have been locked out of my hijacked account for over 48 hours, I started making some music purchases at Amazon, the music is cheaper, has less legal restrictions, it is all stored in the cloud, and hopfully my cc information is protected by a company that cares more about security.

meanwhile in the post created here: https://discussions.apple.com/thread/3543257?answerId=16911365022#16911365022 you write (and I bolded and underlined the part I dont understand):

Doubleshotlight wrote:

Did you check to see if your purchase history is still there? This morning I noticed the same thing but I looked at my purchases and found there were none, as if it was a brand new account. When I went into my iphone's iCloud settings, some random person was signed into my icloud.

I subsequently changed my email address on my Apple ID just in case they had access to my email. When I changed the email, I found that my original email was never notified that I had changed to a new email. This is crazy because you will never know if someone has changed your email! This leads me to believe that someone hacked my account and changed the email address and Apple ID and created a new shell account with my old Apple ID so I didn't realize that my real account was taken over. That means your real account might be under a new Apple ID. That is my theory so far... waiting on customer service.

Just out of curiosity, perhaps you were seing yourself online? or do you have multiple apple id's. I am confused.

Message was edited by: Carlo TD

Really??,How do you think I feel! Phishing is not only done through an email but also as a a fake web site. And NO you would not know if your infomation is phished unless you have money stolen from you, regardless if you have a gift card, visa, mastercard, paypal, discover, or amex card. And Yes, i believe that is what is going on here. I understand you are calling me ignorant, but that is ok, because by the definition of the word, I have

lack of knowledge or information: he acted in ignorance of basic procedures.

But that is fine, I am willing to learn and change, so therefore my ignorance is not a bad thing.

Perhaps you should do a search on the web. Below are some (recent) links I found:

* New Scams use fake Amazon gift cards, Adobe updates to lure victims (12/06/2011)

* Be on the lookout for Apple iTunes phishing email (10/31/2011)

* Identifying fraudulent "phishing" email (10/12/2011)

* New Phishing Attack Targets Apple iTunes, Security Firm Says (10/05/2011)

* How to avoid or remove Mac Defender malware (6/8/2011)

* Phishing primary cause of bogus iTunes charges (8/27/2010)

* The Real iTunes Fraud Vulnerability: Gullible Users (8/23/2010)

* Spam/Phishing email impersonating iTunes store (n.d.)

I heard back from Apple support and they are refunding me, no hassles. Customer service was very responsive and helpful. I've included part of the response I received below. It seemed obvious to me that they are aware of the issue and for now they are dealing with it this way. Hope this helps.

"Dear Debbie,

Welcome to iTunes Store Customer Support. My name is _______ and I am glad to assist you today.

I understand purchases have been made with your iTunes Store account without your permission or knowledge. I am sure you are anxious at this time and I will do whatever I can to help you right away.

Debbie, I have checked your iTunes Store account and it appears that your account information was modified without your authorization. This can happen for a number of reasons, most commonly due to "phishing" emails, sharing passwords, or using the same password for multiple online accounts.

Please review the following article for help in identifying legitimate emails from the iTunes Store.

Identifying legitimate emails from the iTunes Store

http://support.apple.com/kb/HT2075

When you reset your password using http://iforgot.apple.com I highly recommend that you follow the suggestions outlined in the following article:

iTunes Store: Best practices for protecting the security of your account

http://support.apple.com/kb/HT4156

I'm pleased to inform you that, I have issued a refund for the items purchased without your permission.

The decision to issue a refund was made after a careful review of your case. Please note that this refund is an exception to the iTunes Store Terms and Conditions, which state that all sales are final. A refund in the amount of 29.91 USD has been issued to your financial institution. Refund processing times vary depending on your financial institution and can normally take from 7 to 10 business days. Please contact your financial institution for details related to processing times.

I have also removed the card from your account and have disallowed it from being used on the iTunes Store."