I too think it is solely related to gift cards and paypal. When the fraudulant charge occured on me, I had a message on my account stating that I needed to finish the transation because the paypal payment wasn't completed. I removed paypal from my account. I contacted Apple via online chat and resolved the issue. The only thing that leads me to believe that it may not be paypal/gift card exclusive is that I noticed that after I reset my password, I had to reset it again like 5 minutes later as if whoever hacked it, was trying to make another purchase but couldn't get in due to the password change.
Heard back from Apple today. They are refunding the amount of the unauthorized transaction, but gave me the standard response about it being a one-time deal, goes against terms and conditions, blah blah. Here is what I wrote back:
Regarding account security, I always take every step outlined in the article you linked below. I understand that you're likely sending me a pre-determined response. But please understand that I take account security VERY seriously, and frankly I'm rather insulted that Apple would suggest that I was somehow at fault for this happening. This is not an isolated occurrence, not by a long shot. This has happened to thousands of iTunes accounts over the past several months and years, dating back to 2010 from what I've seen. Here are a couple of large discussion threads right in the Apple support forums about this issue:
There are quite a few other discussion topics there on Apple Support about the same issue.
Apparently there is a "group" of hackers around the world that somehow gain entry into iTunes accounts, and drain accounts that have a gift card balance on them, or a PayPal account associated with them. Perhaps there are malicious apps that gather user/password information, or maybe these are brute-force hacking attacks.
As indicated in the first thread linked above, many people have received refunds for these unauthorized transactions. Obviously this is costing Apple a considerable amount of money. It would be highly advisable for Apple to investigate these matters and take measures to increase security.
So I reviewed the iTunes store terms and conditions here: http://www.apple.com/legal/itunes/us/terms.html and found this paragraph:
DISCLAIMER OF WARRANTIES; LIABILITY LIMITATION
APPLE DOES NOT GUARANTEE, REPRESENT, OR WARRANT THAT YOUR USE OF THE ITUNES SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, AND YOU AGREE THAT FROM TIME TO TIME APPLE MAY REMOVE THE ITUNES SERVICE FOR INDEFINITE PERIODS OF TIME, OR CANCEL THE ITUNES SERVICE AT ANY TIME, WITHOUT NOTICE TO YOU.
YOU EXPRESSLY AGREE THAT YOUR USE OF, OR INABILITY TO USE, THE ITUNES SERVICE IS AT YOUR SOLE RISK. THE ITUNES SERVICE AND ALL PRODUCTS AND SERVICES DELIVERED TO YOU THROUGH THE ITUNES SERVICE ARE (EXCEPT AS EXPRESSLY STATED BY APPLE) PROVIDED "AS IS" AND "AS AVAILABLE" FOR YOUR USE, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, THE ABOVE EXCLUSION OF IMPLIED WARRANTIES MAY NOT APPLY TO YOU.
IN NO CASE SHALL APPLE, ITS DIRECTORS, OFFICERS, EMPLOYEES, AFFILIATES, AGENTS, CONTRACTORS, OR LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OF ANY OF THE ITUNES SERVICE OR FOR ANY OTHER CLAIM RELATED IN ANY WAY TO YOUR USE OF THE ITUNES SERVICE, INCLUDING, BUT NOT LIMITED TO, ANY ERRORS OR OMISSIONS IN ANY CONTENT, OR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OF THE USE OF ANY CONTENT (OR PRODUCT) POSTED, TRANSMITTED, OR OTHERWISE MADE AVAILABLE VIA THE ITUNES SERVICE, EVEN IF ADVISED OF THEIR POSSIBILITY. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR THE LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, IN SUCH STATES OR JURISDICTIONS, APPLE'S LIABILITY SHALL BE LIMITED TO THE EXTENT PERMITTED BY LAW.
APPLE SHALL USE REASONABLE EFFORTS TO PROTECT INFORMATION SUBMITTED BY YOU IN CONNECTION WITH THE ITUNES SERVICE, BUT YOU AGREE THAT YOUR SUBMISSION OF SUCH INFORMATION IS AT YOUR SOLE RISK, AND APPLE HEREBY DISCLAIMS ANY AND ALL LIABILITY TO YOU FOR ANY LOSS OR LIABILITY RELATING TO SUCH INFORMATION IN ANY WAY.
APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE ITUNES SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO. SOME PRODUCTS CAN BE DOWNLOADED ONLY ONCE; AFTER BEING DOWNLOADED, THEY CANNOT BE REPLACED IF LOST FOR ANY REASON. YOU SHALL BE RESPONSIBLE FOR BACKING UP YOUR OWN SYSTEM, INCLUDING ANY ITUNES PRODUCTS PURCHASED OR RENTED FROM THE ITUNES STORE.
Soooo... does this meant there is ZERO recourse when these security breaches happen??? People breaking in, using our funds, changing information, using or removing credit card info, etc? How the heck are we supposed to prevent such hacking attacks if they are the brute-force type?
The only option I see is to never use gift cards, and to always just pay for stuff with your CC, such that if this ever does happen then you could dispute the charges with your bank. Is this how it's going to have to be? If only gift card funds could be applied to my CC lol.
I don't think it can be *just* Paypal and gift cards, since I had neither a couple or three months ago when mine was hacked. Again, I did have a credit card linked to my account, but no Paypal and no gift card, and I don't play games. I rarely purchase anything...but like Patrick, I had just installed MyFitnessPal app on an ipod touch a day or two before.
Again, what happened to me was they changed the credit card to a number I did not own, and the address to a faraway city I have never been to, and I got an email saying thank you for your purchase of a $50 gift card for .... and the name was MY PASSWORD!
This leads me to believe they got my password (duh)
I am guilty of having used that password on some other sites, but some in this group have speculated that maybe they got the password when I purchased an app on a public wifi site. That's possible. I don't remember where I was when I installed MyFitnessPal, but I do use wifi in bars and cafes. My home wifi is secure.
I am certain that it is NOT related to PayPal or gift cards.
These hacks are happening on Apple's servers.
As has been posted (and deleted by Apple) on this very thread what seems to be happening is that a program called 'Apple Hack' is available in China. This program somehow has access to Apple's servers (feel free to speculate as to how this program has access to Apple's servers). Once in Apple's servers it then finds iTunes accounts with credit (either giftcard, credit card or PayPal) and then breaks the password, probably by bruteforce (repeatedly trying).
This scenario is shocking for a number of reasons:
- How does the program 'Apple Hack' get access to Apple's servers?
- Are iTunes user names and passwords NOT encrypted?
- Or, if they are encrypted, it appears that somehow the hackers have got access to encryption key.
- Why are bruteforce attacks not tripping a billion alarms on Apple's servers?
In conclusion, you may want to compare Apple iTunes and Amazon. Both have very similar business models but one, apparently, has far superior security.
THIS IS THE REPLY I GOT. IT SEEMS THEY CREATED MORE PROBLEM THAN I HAD I THE BEGINNING. THEY FORCED ME TO CREATE A NEW PASSWORD 5 MONTHS AGO AND NOW I HAVE TO FIND ANOTHER ACCOUNT.
Greetings from iTunes Store Support team. My name is YYYY and I am happy to assist you today.
I understand that you are concerned about the iTunes Store purchases that were made from your iTunes Store account without your permission and knowledge. I certainly understand your concern that you
want this to be resolved at the earliest. I will be happy to help you in resolving this issue.
XXXX, I would like to inform you that To prevent further purchasing, I have disabled your account "XXXXX@yahoo.com".
I apologize as I certainly understand the inconvenience that this situation has caused. In order to make sure this issue is investigated thoroughly, I've consulted with a senior advisor. I'd asked to see if it was
possible to arrange a refund for you, but I'm sorry to say that I was not able to get approval for your request. I've been advised that due to the amount of time that has passed between this order and your
report, the items have become ineligible for refund. As a result, arranging a refund is something that we will not be able to facilitate for you. In the future please be sure to monitor your account activity closely.
That being said, I would like to give you some information to help safeguard your account in the future.
The security of your account is important to Apple. If you would like to enable your account, we will manually reset the password for you and include helpful information for when you reset the password again
yourself. It is recommended that you reset the password even if you wish to leave your account disabled.
If you would like to request that your iTunes Store account be enabled, please reply to this email.
To increase the security of your account I highly recommend that you follow the suggestions outlined in this article:
iTunes Store: Best practices for protecting the security of your account
XXXXX, if you have any other questions for me, please reply to this email so that I can help you further. Thank you for being a valued member of iTunes family.
Have a great day ahead!
This is what I just received:
Tunes Store just sent you a refund
iTunes Store just sent you a partial refund of $39.96 USD for your purchase. If you have any questions about this refund, please contact iTunes Store.
The refund will go to your PayPal account.
To see all the transaction details, please log into your PayPal account. It may take a few moments for this transaction to appear in your account.
I am satisfied. Do you get any extra beefed up security whenever your Credit Card has fraudulent charges? No, there are some things that can't easily be fixed. Maybe they are working ons omething although since they have so many millions of accounts, they have to run it through heuristical, or possibly even machine learning projections before it gets out of a beta period. Maybe it had too many false positives, and the refund on error is the only way possible. I was upset becasue I was reading that some people weren't getting their refunds. I am sure a lot of the 'fraud' they have are people who bought apps that they don't like. It must be a major problem. For me: It's 2am, and it's fixed. I'm going back to bed.
Good luck everyone...
I've since been refunded, and changed my password. I know since using iTunes since it began, this was the first time something like this has happened. I'm sure it is an extremely small percent of iTunes users having to go through this annoying experience. I just hope with the more people using Apple products that the company itself prepares for more malicious acts. Refunds are totally appreciated, but the fact that these apps and charges were made weeks after people were letting Apple know this was going on is disheartening. Like any decent business, If something is rotten and is getting people sick, you remove whatever is toxic from the shelves. These shady apps, I can understand being brought into the App store, but they should be removed as soon as they've been proven to be used just for the purpose of ripping iTunes user's off.
RE: "weeks after people letting Apple know" - actually it has been well over a year.
RE: rogue apps being 'the problem' - I don't think so. As many others have pointed out, the problem appears to be Apple's compromised security, allowing access to passwords which allows access to accounts with available funds (credit balance, Paypal, credit card) so that with that accesss, they are able to spend your account dry. And it is way beyond insulting for Apple to turn around and accuse the user of phishing being the cause of their theft. THIS (Apple's response) is what has me so upset. Apple has been totally silent on what they are doing about it, and the press, for the most part, has been silent. Without public (press) outcry, Apple will have no motivation to do anything about this.
This is exacly my complaint !!
It is a VERY stong liklihood (in my opinion) that my account compromise came because of Apple's failures.
This is spoken as an I.T. professional who never enters details into emails and has different logon ID's / passwords across the online services I use.
In addition there were other suspicious occurences about my case which I have detailed in earlier
THE WHOLE TIME, APPLE MADE ME FEEL LIKE IT WAS MY FAULT AND INSISTED THAT IT WAS ME THAT WAS COMPROMISED !!
In addition when the service consultant asked if I had any more questions . . I asked 3 times what Apple is doing to make sure my security is protected and that this can't happen again . .
In refusing to answer my question i can only assume THEY ARE DOING NOTHING !!!
Where is the media on this !!! Make them accountable !!
I got hacked overnight as well. I'm a software developer (not for iOS), and the Apple ID that I use is used NOWHERE else on the internet, is very long, and uses special characters and upper/lower case, and I'm the only one that knows it.
I got an email this morning that said:
Your Apple ID, (XXXXX) was just used to download 宠物猎人 from the App Store on a computer or device that had not previously been associated with that Apple ID
Why is there no way to say "These are the only approved devices" on my account? Amazon seems to be able to handle that - I have 3 devices activated for Kindle reading. If I want to activate a new device, then why not give me a battery of security questions and my password that only I know?
No possible way this was phishing, and I don't play any of those questionable freemium apps either. I haven't received a receipt for whatever the name of that app is (I don't speak Chinese).
I have an email out to Apple requesting my $55 in credit back, my password has already been changed, and I'm digging for where the security questions are so I can change those as well. /sigh
Hoping to hear back from Apple soon on a credit. The only reason so much was in there was because Best Buy had a 20% off $50 special about two weeks ago. I don't keep a credit card tied to the Apple store either, for this reason.
It's making me hard to trust them with my iCloud data if people can steal my money via my Apple ID anytime they want.