Skip navigation

iTunes store account hacked

664895 Views 1,941 Replies Latest reply: Apr 20, 2014 10:42 AM by Chris CA RSS Branched to a new discussion.
  • dustinw82 Calculating status...
    Currently Being Moderated
    Feb 21, 2012 11:08 AM (in response to gingerCE12)

    I too think it is solely related to gift cards and paypal.  When the fraudulant charge occured on me, I had a message on my account stating that I needed to finish the transation because the paypal payment wasn't completed.  I removed paypal from my account.  I contacted Apple via online chat and resolved the issue.  The only thing that leads me to believe that it may not be paypal/gift card exclusive is that I noticed that after I reset my password, I had to reset it again like 5 minutes later as if whoever hacked it, was trying to make another purchase but couldn't get in due to the password change. 

  • Chris CA Level 9 Level 9 (73,410 points)
    Currently Being Moderated
    Feb 21, 2012 11:12 AM (in response to dustinw82)

    dustinw82 wrote:

     

    I too think it is solely related to gift cards and paypal.
    ...
    The only thing that leads me to believe that it may not be paypal/gift card exclusive

    ???

    Do you think it is exclusive or not? (It's not as evidenced by others never having gift card/PayPal on their account).

  • PatrickGSR94 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 11:25 AM (in response to Chris CA)

    Heard back from Apple today.  They are refunding the amount of the unauthorized transaction, but gave me the standard response about it being a one-time deal, goes against terms and conditions, blah blah.  Here is what I wrote back:

     

     

    Regarding account security, I always take every step outlined in the article you linked below. I understand that you're likely sending me a pre-determined response.  But please understand that I take account security VERY seriously, and frankly I'm rather insulted that Apple would suggest that I was somehow at fault for this happening.  This is not an isolated occurrence, not by a long shot.  This has happened to thousands of iTunes accounts over the past several months and years, dating back to 2010 from what I've seen.  Here are a couple of large discussion threads right in the Apple support forums about this issue:

     

    https://discussions.apple.com/thread/2665383?start=0&tstart=0

    https://discussions.apple.com/thread/3031164?start=0&tstart=0

     

    There are quite a few other discussion topics there on Apple Support about the same issue.

     

    Apparently there is a "group" of hackers around the world that somehow gain entry into iTunes accounts, and drain accounts that have a gift card balance on them, or a PayPal account associated with them.  Perhaps there are malicious apps that gather user/password information, or maybe these are brute-force hacking attacks.

     

    As indicated in the first thread linked above, many people have received refunds for these unauthorized transactions.  Obviously this is costing Apple a considerable amount of money.  It would be highly advisable for Apple to investigate these matters and take measures to increase security.


     

    So I reviewed the iTunes store terms and conditions here: http://www.apple.com/legal/itunes/us/terms.html and found this paragraph:

     

     

    DISCLAIMER OF WARRANTIES; LIABILITY LIMITATION

     

    APPLE DOES NOT GUARANTEE, REPRESENT, OR WARRANT THAT YOUR USE OF THE ITUNES SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, AND YOU AGREE THAT FROM TIME TO TIME APPLE MAY REMOVE THE ITUNES SERVICE FOR INDEFINITE PERIODS OF TIME, OR CANCEL THE ITUNES SERVICE AT ANY TIME, WITHOUT NOTICE TO YOU.

     

    YOU EXPRESSLY AGREE THAT YOUR USE OF, OR INABILITY TO USE, THE ITUNES SERVICE IS AT YOUR SOLE RISK. THE ITUNES SERVICE AND ALL PRODUCTS AND SERVICES DELIVERED TO YOU THROUGH THE ITUNES SERVICE ARE (EXCEPT AS EXPRESSLY STATED BY APPLE) PROVIDED "AS IS" AND "AS AVAILABLE" FOR YOUR USE, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, THE ABOVE EXCLUSION OF IMPLIED WARRANTIES MAY NOT APPLY TO YOU.

     

    IN NO CASE SHALL APPLE, ITS DIRECTORS, OFFICERS, EMPLOYEES, AFFILIATES, AGENTS, CONTRACTORS, OR LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OF ANY OF THE ITUNES SERVICE OR FOR ANY OTHER CLAIM RELATED IN ANY WAY TO YOUR USE OF THE ITUNES SERVICE, INCLUDING, BUT NOT LIMITED TO, ANY ERRORS OR OMISSIONS IN ANY CONTENT, OR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OF THE USE OF ANY CONTENT (OR PRODUCT) POSTED, TRANSMITTED, OR OTHERWISE MADE AVAILABLE VIA THE ITUNES SERVICE, EVEN IF ADVISED OF THEIR POSSIBILITY. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR THE LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, IN SUCH STATES OR JURISDICTIONS, APPLE'S LIABILITY SHALL BE LIMITED TO THE EXTENT PERMITTED BY LAW.

     

    APPLE SHALL USE REASONABLE EFFORTS TO PROTECT INFORMATION SUBMITTED BY YOU IN CONNECTION WITH THE ITUNES SERVICE, BUT YOU AGREE THAT YOUR SUBMISSION OF SUCH INFORMATION IS AT YOUR SOLE RISK, AND APPLE HEREBY DISCLAIMS ANY AND ALL LIABILITY TO YOU FOR ANY LOSS OR LIABILITY RELATING TO SUCH INFORMATION IN ANY WAY.

     

    APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE ITUNES SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO. SOME PRODUCTS CAN BE DOWNLOADED ONLY ONCE; AFTER BEING DOWNLOADED, THEY CANNOT BE REPLACED IF LOST FOR ANY REASON. YOU SHALL BE RESPONSIBLE FOR BACKING UP YOUR OWN SYSTEM, INCLUDING ANY ITUNES PRODUCTS PURCHASED OR RENTED FROM THE ITUNES STORE.

     

    Soooo... does this meant there is ZERO recourse when these security breaches happen???  People breaking in, using our funds, changing information, using or removing credit card info, etc?  How the heck are we supposed to prevent such hacking attacks if they are the brute-force type?

     

    The only option I see is to never use gift cards, and to always just pay for stuff with your CC, such that if this ever does happen then you could dispute the charges with your bank.  Is this how it's going to have to be?  If only gift card funds could be applied to my CC lol.

  • Chris CA Level 9 Level 9 (73,410 points)
    Currently Being Moderated
    Feb 21, 2012 11:39 AM (in response to PatrickGSR94)

    PatrickGSR94 wrote:

     

    Soooo... does this meant there is ZERO recourse when these security breaches happen???

    Pretty much, yes.

  • Oonce Oonce Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 11:51 AM (in response to Chris CA)

    I don't think it can be *just* Paypal and gift cards, since I had neither a couple or three months ago when mine was hacked.  Again, I did have a credit card linked to my account, but no Paypal and no gift card, and I don't play games.  I rarely purchase anything...but like Patrick, I had just installed MyFitnessPal app on an ipod touch a day or two before.

     

    Again, what happened to me was they changed the credit card to a number I did not own, and the address to a faraway city I have never been to, and I got an email saying thank you for your purchase of a $50 gift card for ....  and the name was MY PASSWORD!

     

    This leads me to believe they got my password (duh) 

     

    I am guilty of having used that password on some other sites, but some in this group have speculated that maybe they got the password when I purchased an app on a public wifi site.  That's possible.  I don't remember where I was when I installed MyFitnessPal, but I do use wifi in bars and cafes.  My home wifi is secure.

  • MadScientistZ Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 12:37 PM (in response to dustinw82)

    I am certain that it is NOT related to PayPal or gift cards.

     

    These hacks are happening on Apple's servers.

     

    As has been posted (and deleted by Apple) on this very thread what seems to be happening is that a program called 'Apple Hack' is available in China. This program somehow has access to Apple's servers (feel free to speculate as to how this program has access to Apple's servers). Once in Apple's servers it then finds iTunes accounts with credit (either giftcard, credit card or PayPal) and then breaks the password, probably by bruteforce (repeatedly trying).

     

    This scenario is shocking for a number of reasons:

    1. How does the program 'Apple Hack' get access to Apple's servers?
    2. Are iTunes user names and passwords NOT encrypted?
    3. Or, if they are encrypted, it appears that somehow the hackers have got access to encryption key.
    4. Why are bruteforce attacks not tripping a billion alarms on Apple's servers?

     

    In conclusion, you may want to compare Apple iTunes and Amazon. Both have very similar business models but one, apparently, has far superior security.

  • chipmalee Calculating status...
    Currently Being Moderated
    Feb 21, 2012 12:39 PM (in response to stereocourier)

    THIS IS THE REPLY I GOT.  IT SEEMS THEY CREATED MORE PROBLEM THAN I HAD I THE BEGINNING.  THEY FORCED ME TO CREATE A NEW PASSWORD 5 MONTHS AGO AND NOW I HAVE TO FIND ANOTHER ACCOUNT.

    ~~~~~~~~~~~~~~~~~~~~~~~

    Dear XXXX,

     

    Greetings from iTunes Store Support team. My name is YYYY and I am happy to assist you today.

     

    I understand that you are concerned about the iTunes Store purchases that were made from your iTunes Store account without your permission and knowledge. I certainly understand your concern that you

    want this to be resolved at the earliest. I will be happy to help you in resolving this issue.

     

    XXXX, I would like to inform you that To prevent further purchasing, I have disabled your account "XXXXX@yahoo.com".

     

    I apologize as I certainly understand the inconvenience that this situation has caused. In order to make sure this issue is investigated thoroughly, I've consulted with a senior advisor. I'd asked to see if it was

    possible to arrange a refund for you, but I'm sorry to say that I was not able to get approval for your request. I've been advised that due to the amount of time that has passed between this order and your

    report, the items have become ineligible for refund. As a result, arranging a refund is something that we will not be able to facilitate for you. In the future please be sure to monitor your account activity closely.

     

    That being said, I would like to give you some information to help safeguard your account in the future.

     

    The security of your account is important to Apple. If you would like to enable your account, we will manually reset the password for you and include helpful information for when you reset the password again

    yourself. It is recommended that you reset the password even if you wish to leave your account disabled.

     

    If you would like to request that your iTunes Store account be enabled, please reply to this email.

     

    To increase the security of your account I highly recommend that you follow the suggestions outlined in this article:

     

    iTunes Store: Best practices for protecting the security of your account

    http://support.apple.com/kb/HT4156

     

    XXXXX, if you have any other questions for me, please reply to this email so that I can help you further. Thank you for being a valued member of iTunes family.

     

    Have a great day ahead!

     

    Sincerely,

  • PatrickGSR94 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 12:45 PM (in response to chipmalee)

    Maybe there's an inside conspiracy going in within Apple...

  • dustinw82 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 12:59 PM (in response to chipmalee)

    Chip- You don't necessarily have to create a new account.  When I started my online chat, they disabled my account.  They then re-enabled it and I reset my password.

  • phifli Calculating status...
    Currently Being Moderated
    Feb 21, 2012 2:10 PM (in response to Chris CA)

    This is what I just received:

    Tunes Store just sent you a refund

    iTunes Store just sent you a partial refund of $39.96 USD for your purchase. If you have any questions about this refund, please contact iTunes Store.

    The refund will go to your PayPal account.

     

    To see all the transaction details, please log into your PayPal account. It may take a few moments for this transaction to appear in your account.

     

     

     

    I am satisfied.  Do you get any extra beefed up security whenever your Credit Card has fraudulent charges?  No, there are some things that can't easily be fixed.  Maybe they are working ons omething although since they have so many millions of accounts, they have to run it through heuristical, or possibly even machine learning projections before it gets out of a beta period.  Maybe it had too many false positives, and the refund on error is the only way possible.  I was upset becasue I was reading that some people weren't getting their refunds.  I am sure a lot of the 'fraud' they have are people who bought apps that they don't like.  It must be a major problem.  For me: It's 2am, and it's fixed.  I'm going back to bed.

    Good luck everyone...

  • PatrickGSR94 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 21, 2012 2:14 PM (in response to phifli)

    Well at least I had the e-mail from Apple on my side that alerted me to the issue in the first place - the purchase made from a device not associated with my account.  The e-mail said if I did make the purchase to ignore the e-mail, or otherwise change my password and contact them, which I did.

  • Fabion Retro Calculating status...
    Currently Being Moderated
    Feb 21, 2012 7:41 PM (in response to Fabion Retro)

    I've since been refunded, and changed my password. I know since using iTunes since it began, this was the first time something like this has happened. I'm sure it is an extremely small percent of iTunes users having to go through this annoying experience. I just hope with the more people using Apple products that the company itself prepares for more malicious acts. Refunds are totally appreciated, but the fact that these apps and charges were made weeks after people were letting Apple know this was going on is disheartening. Like any decent business, If something is rotten and is getting people sick, you remove whatever is toxic from the shelves. These shady apps, I can understand being brought into the App store, but they should be removed as soon as they've been proven to be used just for the purpose of ripping iTunes user's off.

  • RMUNSON01 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 4:23 AM (in response to Fabion Retro)

    RE: "weeks after people letting Apple know" - actually it has been well over a year.

    RE: rogue apps being 'the problem' - I don't think so.  As many others have pointed out, the problem appears to be Apple's compromised security, allowing access to passwords which allows access to accounts with available funds (credit balance, Paypal, credit card) so that with that accesss, they are able to spend your account dry.  And it is way beyond insulting for Apple to turn around and accuse the user of phishing being the cause of their theft.  THIS (Apple's response) is what has me so upset.  Apple has been totally silent on what they are doing about it, and the press, for the most part, has been silent.  Without public (press) outcry, Apple will have no motivation to do anything about this.

  • sSickmann Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 22, 2012 5:02 AM (in response to RMUNSON01)

    This is exacly my complaint !!

     

    It is a VERY stong liklihood (in my opinion) that my account compromise came because of Apple's failures.

     

    This is spoken as an I.T. professional who never enters details into emails and has different logon ID's / passwords across the online services I use.

     

    In addition there were other suspicious occurences about my case which I have detailed in earlier

    posts.

     

    THE WHOLE TIME, APPLE MADE ME FEEL LIKE IT WAS MY FAULT AND INSISTED THAT IT WAS ME THAT WAS COMPROMISED !!

     

    In addition when the service consultant asked if I had any more questions . . I asked 3 times what Apple is doing to make sure my security is protected and that this can't happen again  . .

     

    In refusing to answer my question i can only assume THEY ARE DOING NOTHING !!!

     

    Where is the media on this !!!   Make them accountable !!

  • tekchic Calculating status...
    Currently Being Moderated
    Feb 22, 2012 6:09 AM (in response to stereocourier)

    I got hacked overnight as well. I'm a software developer (not for iOS), and the Apple ID that I use is used NOWHERE else on the internet, is very long, and uses special characters and upper/lower case, and I'm the only one that knows it.

     

    I got an email this morning that said:

    Your Apple ID, (XXXXX) was just used to download 宠物猎人 from the App Store on a computer or device that had not previously been associated with that Apple ID

     

    Why is there no way to say "These are the only approved devices" on my account? Amazon seems to be able to handle that - I have 3 devices activated for Kindle reading. If I want to activate a new device, then why not give me a battery of security questions and my password that only I know?

     

    No possible way this was phishing, and I don't play any of those questionable freemium apps either. I haven't received a receipt for whatever the name of that app is (I don't speak Chinese).

     

    I have an email out to Apple requesting my $55 in credit back, my password has already been changed, and I'm digging for where the security questions are so I can change those as well. /sigh

     

    Hoping to hear back from Apple soon on a credit. The only reason so much was in there was because Best Buy had a 20% off $50 special about two weeks ago. I don't keep a credit card tied to the Apple store either, for this reason.

     

    It's making me hard to trust them with my iCloud data if people can steal my money via my Apple ID anytime they want.

1 ... 76 77 78 79 80 ... 130 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (39)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.