Q: iTunes store account hacked

The problem with the gift cards is that if you pay for them, it's your money spent with little to no recourse if someone else uses it, except for Apple's "kindness out of their heart" if they refund the money.  At least if you only used a CC to purchase apps, and there were fraudulent charges, you can dispute the charges with the CC company.

I just had to reset my password yet again, because Apple disabled the account yesterday, which means the password I chose and had been using since Monday morning would no longer be allowed.  Thank goodness for mSecure!

*edit* if you haven't found it, you can manage security questions and passwords at https://appleid.apple.com

Like you I'm a computer professional (PhD in computer science) and have come to the same conclusion: these hacks cannot be the result of phising but rather Apple's servers are being routinely hacked.

Again, either they are storing our user names and passwords unencrypted or somebody else has the encryption key.

Or maybe whoever is in charge of the servers at Apple fell for a phishing scam. 

That's funny!  "But boss, they said if I click here now I get a free iPhone 5, no strings attached!"

I had a very similar experience and just spent over 2 1/2 hour with Apple trying to resolve it. I purchased a $0.99 app on iTunes and then 4 charges for $43.99 showed up, plus a 2 others. Although Apple is refunding the amount, they tried to claim that my credit card information was aquired from another source, despite the fact that the only fraudulant charges were on iTunes. Apparently someone opened up 2 other iTunes accounts with my card information but no charges were attempted through any other source and my card nor my devices have been out of my possession at any point. I am not nearly as angry about the fraudulant charges as I am about Apple not taking responsibility for their obvious security issue!

Sad,

Ex-Loyal Apple User

I just submitted this discussion to Slashdot. Hopefully somebody will pick this up and Apple will have to respond.

Apple Trust = Lost

Also charged twice for $43.99 this morning. Account has been hacked. VISA resolved. But here's the big problem: They have deactivated my VISA card meaning all of my other bills that are on auto-pay now must transition to new accounts and a new card.

Plus, there is no option to have iTunes without using a credit card. Apple, you've got a global issue on your hand. How soon will you provide a real fix to your customers?

What good is a new credit card if it can be hacked so easily and ruin all other related accounts?

By the way, the sole hack and offense was iTunes. The card was not compromised. And thanks to Visa protections, they caught the scam and would not process the charges. But now a card that I've had for years is deactivated.

You can change your Payment Type to NONE in your account settings. You can add credit card info only when you need to purchase. That is what I do now.

Yeah, I actually haven't cancelled by credit card yet, although I'm keeping a close eye on it. I'm fairly certain that this issue is exclusive to iTunes and frankly the way it's playing out makes me suspect that they are manipulating the iTunes system but haven't actually broken the encription code. So although I'm ready to cancel the card as needed, I honestly want to have the proof that this is just an Apple issue, which with no outside attempts at the account confirms that suspission.

What I find most irritating is that they won't admit fault in their system! I can accept that it happened, but own up already!

Ex-Loyal Apple Customer

camice wrote:

 

Yeah, I actually haven't cancelled by credit card y

Why not?

Call the credit card company and just get a new one.

Okay. I too am now compromised through this "Kingdom Conquest" app/game by Sega (amazing, two major companies have heard about this game for months now and it still exists in the store).

I have had issues with PayPal/iTunes twice now. Some charges showed up 3 or 4 times between $40 and $50 each. These were supposedly charged through iTunes with my PayPal Debit Card even though I only use the direct-through-PayPal payment option (meaning not my debit card, but the account itself). This was a few weeks ago and is currently being investigated through PayPal. The merchant name also doesn't match the iTunes name that is supposed to show up. iTunes Store is the usual merchant name for purchases, but these showed up under APL*APPLE ITUNES STORE 866-712-7753 CA.

The latest issue is now with this Kingdom Conquest app which I have never heard of or downloaded, yet in-app purchases were charged to my direct-to-PayPal option. PayPal is now investigating this and my iTunes account has been deactivated for a few days. What I am wondering is if the two issues are related. Being a PC Support Tech, programmer and web designer, I don't see how it's possible to charge accounts that have no relation to the game. If I have NEVER been in the vicinity of the app on iTunes, how the **** are they getting my and other accounts?

I think what frustrates me is that this could be stopped with one simple action: Not in your approved devices list, DON'T APPROVE THE ACCOUNT ACCESS. If they try to access information from a non-approved device, go through the motions of approving the device through non-apple account emails, etc... so that you have multiple layers of protection.

I'm safely back where I should be, but I'm nervous. Why ask for approved devices if you're not going to deny access to non-approved devices?   

Exactly! The first thing I noticed in the email about a charge was that "it was for a device not part of my activated devices!" And I'm like... huh???? That makes no sense.

I feel as though the whole approved devices idea is only a fix for not having DRM. ANother words, it's only a restriction for us customers to not give out songs to others, but does nothing for theives and hackers.

I suppose I'll have to go through the motions for the next 15 to 30 days until I get all of my money back.

I appreciate the advice, but it will take me weeks to sort out the accounts I have this attached to. But I'm checking my account hourly and at any sign that this is more than the iTunes system being compromised I'll do it at once and dispute any new charges. However, I worked in banking for many years and can pretty much garantee that they haven't actually accessed the card information itself. This is too sophisticated an operation, if they had our actual card information they would have immediately started charging with them through other sources. The fact that they haven't made any attempts other than iTunes and everyone is reporting the same pattern tells me that they basically have just found a way to manipulate the iTunes website, which is frankly much more likely than breaking the encryption codes.

So, yes, I'm taking a risk but frankly I'm willing to do it to confirm my suspicions. I'll keep you posted.

Ex-Loyal Apple Customer.