stereocourier
Level 1 (0 points)

Q: iTunes store account hacked

I'm posting this just to share my story and get reactions. It's a little detailed but I thought worth sharing.

On November 23, 2010 I purchased a single song from the iTunes store for .99. I used store credit that I had from a gift card I received last year. It was the first purchase I had made since July 2010.

On November 25, 2010 I received a receipt for 2 more separate orders to my account. These were for over $50 in iPhones apps. Here's a sampling of some of the purchases:

1 eREAD isoshu, v1.5, Seller: ChengDu YueTong Internet Information Co. Ltd (17+)
2 Plants vs. Zombies, v1.3, Seller: PopCap Games, Inc. (iDP)
3 Monkey Island 2 Special Edition: LeChuck's Revenge, v1.1, Seller: Lucasfilm International Services Inc.
4 Asphalt 5, v1.2.6, Seller: Gameloft (9+)
5 Let's Golf!® 2, v1.0.1, Seller: Gameloft (4+)
6 Frames & FX for Photos, v2.5.1, Seller: Imikimi, LLC (12+)
7 Stenches: A Zombie Tale of Trenches, v1.0.1, Seller: Thunder Game Works (9+)

I do not have a credit card linked to my account, so these were made using my store credit.

I have only 1 computer authorized for my account (my personal home computer). I live alone and no one else touches my Powerbook but me. I also DO NOT own an iPhone, so I would have no interest in apps.

After I saw these bizarre purchases, I checked my account. I noticed 2 strange things: My account information had changed: My street address was correct, but city, state and zip had changed to: Towson, MD 21286-7840. I have never lived in Maryland. Also, I noticed that my password recovery answer had changed to "Murray" in response to a question about my mother's maiden name. That's decidedly NOT my mother's maiden name. Also, my birthdate had changed to an incorrect month and day.

I immediately changed my password and my recovery question/answer challenge.

I reported problems on all of these purchases and also contacted iTunes Account Support by e-mail.

Within 24 hours I received an e-mail from "Vicki" at iTunes Customer Support. She wrote:

"When reviewing over your account "name@domain.net" and the two reported orders, it shows that the content purchased within them was acquired from the computer that is currently authorized for your iTunes account. So I strongly advise that you do consult with those in your household regarding the purchases made, and the charges that resulted from those purchases."

Further:

"I have gone and reversed the charges for the two orders....You will see a store credit in three to five business days....Please note that this is a one-time exception, as the iTunes Store Terms and Conditions state that all sales are final."

I am pleased that Apple is refunding my store credit and replied so quickly.

However, it is simply impossible that these purchases were made from my computer. Again, my Powerbook is the only computer I have ever authorized to access my account, and I am the only person with access to it.

I am not sure how this happened. Any thoughts or similar experiences?

Powerbook G4, Mac OS X (10.5.8)

Posted on Nov 28, 2010 3:45 PM

Close
stereocourier

Q: iTunes store account hacked

  • All replies
  • Helpful answers

first Previous Page 13 of 131 last Next

  • by coupster7,

    coupster7 coupster7 Mar 28, 2011 9:08 AM in response to stereocourier
    Level 1 (0 points)
    Mar 28, 2011 9:08 AM in response to stereocourier
    Another victim! My itunes was drained of $29.98 on 3/25/11 at midnight for the Orig gangster (very subtle!) app credits. They also changed my billing address city/state to Towson MD. Reported to apple.

  • by arcane93,

    arcane93 arcane93 Mar 28, 2011 10:13 AM in response to stereocourier
    Level 1 (10 points)
    Mar 28, 2011 10:13 AM in response to stereocourier
    Further evidence, as far as I'm concerned, anyway, that this is not a simple matter of a password hack or a virus:

    We discovered last night that my girlfriend's account, which she uses on her iPad, has been compromised as well. Fortunately, she didn't have any gift card balance on her account, and from everything that we can tell, all the hackers did was remove her credit card number from the account. We can't find any evidence that any purchases were made.

    Here's the thing, though -- she only logs onto that account in the app store, on the iPad itself. To be honest, I don't think that she even knows how to log into it on her computer (and even if she does know how, she never does). The last time that I logged into it on her computer was months ago, when I upgraded the iPad to iOS 4.2 (I've been meaning to upgrade her to 4.3, but haven't gotten around to it). Her password is pretty secure (it's got both uppercase and lowercase letters and numbers, and while it's not totally random, as far as any kind of password generator is concerned it might as well be). All of the apps that she is using are pretty standard -- nothing which raises a red flag as questionable.

    So, uh, yeah, it looks extremely unlikely to me that her account could have been compromised on her end. And yet, there it is.

    I don't think we're even going to bother to contact Apple about this one, since it appears that all Apple will do is tell her to change her password, and possibly make her go through a runaround with disabling and re-enabling her account. Still, they need to get on top of this now and do something about it.

  • by eaklause,

    eaklause eaklause Mar 28, 2011 10:17 AM in response to stereocourier
    Level 1 (0 points)
    Mar 28, 2011 10:17 AM in response to stereocourier
    Same thing happened to me and I have emailed support and hopefully they'll refund me. I've only seen miscellaneous charges, via PayPal, and none provide any description except the cryptic, iTunes Store purchase. I verified my paypal account doesn't have these charges listed yet my bank account that is tied to my paypal account has been charged. I sent in one dispute...do I need to do an individual dispute for each charge? If anyone can help me that would be great. I'd also like to know what to do to make my account more secure. I normally enjoy buying music from iTunes but am happy to stop if I'm going be robbed.

  • by proidg,

    proidg proidg Mar 28, 2011 11:03 AM in response to arcane93
    Level 1 (0 points)
    Mar 28, 2011 11:03 AM in response to arcane93
    Many states have laws that require companies to notify the public and affected customers if they have reason to believe there has been a breach that has exposed personally identfiable data including credit card numbers, name, address and so on. For the folks on this list who believe that they have had such information exposed, I would encourage you to contact your local state Attorney General and report the incident to them. If you live in Massachusetts, Mass General Law 93H requires disclosure of data breaches.


    <Edited by Host>

  • by Nicole V,

    Nicole V Nicole V Mar 28, 2011 11:30 PM in response to stereocourier
    Level 1 (0 points)
    Mar 28, 2011 11:30 PM in response to stereocourier
    I received an email receipt from Apple iTunes store saying that I made $20.31 purchase worth of crap music and ring tones. Wasn't sure if the email was spam, so I opened iTunes to check my account, and my GC was drained down to $0.72. I changed my password. Didn't have any credit cards store for my account. I contacted Apple and will be waiting for a response.

    I think this hack might have been linked to an email supposively from UPS that looked like spam, where I accidently clicked a link on my iPhone. The same day I did that, was the same day the bogus charges appeared on my iTunes account. Second time an account of mine has been hacked due to me trying to scroll on my iPhone, and links are accidently opened.

    Hoping this gets resolved, although if I don't get the credit back, I'm definately never buying from iTunes or App Store ever again.

  • by tecman69,

    tecman69 tecman69 Mar 29, 2011 7:15 AM in response to stereocourier
    Level 1 (0 points)
    Mar 29, 2011 7:15 AM in response to stereocourier
    I don't mean to be condescending here, but everyone everywhere needs to start using stronger passwords, and the registration site will tell you what is strong vs. weak. The likely scenario here is that your gmail / yahoo / yadayada account was dictionary attacked and as you had the same username/password for your iTunes account, what do you expect?

    Now hold on! I am not inferring that everyone is doing this, it is just an example scenario. Actually, I find that Apple support is the most responsive and considerate I have ever seen, and I have been in IT & information security for almost 40 years.

    tecman

  • by MichaelTLH,

    MichaelTLH MichaelTLH Mar 29, 2011 7:59 AM in response to tecman69
    Level 1 (0 points)
    Mar 29, 2011 7:59 AM in response to tecman69
    My password was 12 characters, alpha and numeric, no words and had symbols... so I really doubt it was dictionary attacked. I also never use the same password on any site. AND... I was still hacked for two $40 gift cards.

  • by ybenner,

    ybenner ybenner Mar 29, 2011 8:45 AM in response to tecman69
    Level 1 (0 points)
    Mar 29, 2011 8:45 AM in response to tecman69
    My iTunes password was different from my email passwords, but anything is possible. The password has been changed to something much stronger.

    I'm just floored by Apple's lack of assistance with this issue. I haven't received a word of information except to change my password. I contacted Paypal right away, but they haven't heard back from Apple either.

  • by aasasssasas,

    aasasssasas aasasssasas Mar 29, 2011 10:29 AM in response to stereocourier
    Level 1 (0 points)
    Mar 29, 2011 10:29 AM in response to stereocourier
    Welcome to iTunes Store Customer Support! My name is *** and I am glad to assist you today.

    I understand that you have been charged twice for an item "23400銀幣禮包" and would like a refund for the same. I realize how eager you are to find a solution to this issue.

    I have reversed the charge for the duplicate purchase, which I understand was unintentional. You will see a credit of $19.99, in three to five business days. If store credit was used for this purchase, you should see the credit post within three to five business days. If you still do not see your store credit, you will need to sign out of the iTunes Store and sign back in.

    Please note that this is a one-time exception, as the iTunes Store Terms and Conditions state that all sales are final.


    P.S. This was not a duplicate purchase Apple both purchases were not by me I do not speak Chinese LOL as I stated to you in my original email!

  • by Nicole V,

    Nicole V Nicole V Mar 29, 2011 12:08 PM in response to aasasssasas
    Level 1 (0 points)
    Mar 29, 2011 12:08 PM in response to aasasssasas
    I received a similar response to the email above. We'll see what happens though. My Apple ID has been disabled, and I'm waiting for it to be enabled so that I can log-in and see if I was credited back for the items I did not authorize. One thing's for sure, I don't feel safe entering any credit card information with Apple. Guess if I need to buy any Apps, I'm just gonna have to keep getting new GCs.

  • by ybenner,

    ybenner ybenner Mar 29, 2011 1:35 PM in response to Nicole V
    Level 1 (0 points)
    Mar 29, 2011 1:35 PM in response to Nicole V
    This is my plan as well. Just use iTunes GC's with my account to minimize any potential financial damage. Kind of a PITA, but necessary IMO.

  • by DJBenson,

    DJBenson DJBenson Mar 29, 2011 3:00 PM in response to ybenner
    Level 1 (0 points)
    Mar 29, 2011 3:00 PM in response to ybenner
    I've just received notification that someone has been spending my iTunes credit - a load yesterday (which I didn't receive notification for) and some more just now.

    They've also authorised their own machine (which is annoying as you can't de-auth it yourself) and my card details have "gone missing". Have reported all the transactions to Apple and await their response but this appears to be a massive security breach...

  • by DrDreTO,

    DrDreTO DrDreTO Mar 30, 2011 6:02 PM in response to stereocourier
    Level 1 (0 points)
    Mar 30, 2011 6:02 PM in response to stereocourier
    OK So I was dinged like a lot of people here. gift card balance drained $40 for texasholdem +inapp purchases. I never heard of the apps before they appeared on my account. I went app store and found that the offending app is still there amongst other apps by the same developer. Even the customer reviews warn people that these are suspicious apps.

    This one seems to be pretty common in this thread, so the question is why the heck has that app not been pulled from the store to stop the bleeding???

    I submitted my issue to Apple and am waiting for a reversal of charges.

  • by ybenner,

    ybenner ybenner Mar 31, 2011 8:49 AM in response to DrDreTO
    Level 1 (0 points)
    Mar 31, 2011 8:49 AM in response to DrDreTO
    Paypal is still waiting to hear back from Apple. It will be one week tomorrow that these charges ocurred and my money is still in limbo :/

  • by lizurdmom,

    lizurdmom lizurdmom Mar 31, 2011 10:15 PM in response to stereocourier
    Level 1 (0 points)
    Mar 31, 2011 10:15 PM in response to stereocourier
    I posted on this thread March 18 or 19 about my experience getting hacked like everyone else here. I went thru various appropriate channels to get the problem identified on my account, etc. A couple of days ago I got an email saying my money would be refunded & that it might take 5-7 business days for that to happen..... I believe that I will be refunded, and that all of us in the same boat will be refunded if appropriate(some just had info changed with no unauthorized purchases).gh
first Previous Page 13 of 131 last Next