Q: iTunes store account hacked

Same Happened to me. Added 50€ Giftcard last Weekend. Today Received two Bills, dated mai 16th with 34.99€ and 2x 6.99€. Both are for in app purchases for kingdomconquest, which i Never Downloaded myself.... The other Thing is that my cc Information has been removed from my account.

But interesting to see that it is Happening to others too recently, Looks like there is some seriuos Bug in the billing System...

Filled in the Support Form, Hope the Money gets refunded  by Apple without Problems.

Regards from Austria

Ps: Sry for the Bad spelling, **** German autocorrection ;)

So I have had two attacks this week:

On Monday, the usual poker suspect came in and emptied my account(about $50).  I emailed Apple and they replied with your account has been disabled, change your pass, we will refund you, etc.   I hadn't gotten around to restarting it, and the same thing has happened again.   This time for $25, but the account only had less than a dollar in it I think.  So the account wasn't even active when it happened.   And might have been empty of cash before it happened? 

Ditto. Birthday gift card? Used. Additional charges made to my account? About $40.00. This is seriously unacceptable. I was lucky(?) that ANOTHER thief who was altogether stopped had recently tried to use my card, so I had it replaced. The one on iTunes was inactive. But now iTunes is holding me responsible for the unpaid theft. Trying to get cust. service to wipe the excess fees, even though my gift card money is likely gone.

I also experienced the KingdomConquest hack this week.  Gift card balance was drained within hours of applying it to the store, and my credit card info was removed from the account. 

Emailed apple, waiting for a response.

In the meantime I've followed the usual prescriptive advice:

:changed itunes password

:changed security questions

I don't have 5 authorized computers, so I can't flush them all until support gets back to me. 

Whats bugging me is the anatomy of this hack.  Setting aside the question of how did they get into my account: why?  The app appears to be legitimate, from Sega.  My gift card balance was exchanged for in-world currency, which according to Sega's documentation can't be transferred between players in-world.  So I don't really understand the point to stealing my money to fund an MMORG on a cell phone when the theft would be discovered with a day or so.  Am I just missing something, or is there a vulnerability in this game that people are using to exchange in-world currency for real world cash?

Try this trick!  If you have access to several more computers - work, friends, relatives, etc. log into your account on each one and authorize the computers. Then you can delete each one you need to. It's simple, and can save you time!

Honest to G's truth, exactly what did you say that has anything to offer to the discussion of hacked accounts, solutions to being ripped off, or is helpful to lusid's accounting whatsoever? "Try this trick!" smacks of a spam email approach, to be blunt.

It disappoints me that the correlation between the rising popularity of the Macintosh platform to the lowering of knowledge and overall quality is becoming so blatant. That includes the increasing number of so called 'secure platform incidents'. This is not the Macintosh sphere I know from years ago.

"I don't have 5 authorized computers"...

READ THAT QUOTE. It means lusid has computers he/she cannot de-authorize, even if this was some sort of 'magical de-authorization technique', which it isnt. Waiting on Apple to get its head out of the sand to this very very common and re-occurring problem is all he/she can do at this point.

And exactly what 'time' over what efforts are you supposedly 'saving' lusid? None. If you like copy-pasting irrelevant support suggestions from elsewhere, I suggest you apply to Apple as an Indian support specialist, as that is the quality of response they give and the kind of person they obviously are looking for.

Nothing personal, but there is also no need to remind me how obviously LIVID a response I am giving...the current state of 'lack of security' affairs being experienced through the Apple data base infuriates me; it only grows with every addition of yet another victim's accounting. I can applaud your eager but ineffectual help only based on intent, not on content.

Apparently no one but the myriads of victims of these crimes are considering this a serious situation!

I'm wondering if the removal of out credit/bank card details is something apple has patched when they notice this happening. Either that or the hackers removed it...

Apple won't acknowledge it because of the impact it would have on their brand image.. I think they have a duty to warn people though as there is a serious loophole here making our personal data vulnerable to such attacks..

Wow, Brad. If you weren't so ignorant, I would be offended by your post.

The tip I described was told to me by an Apple rep. The problem is you can't deauthorize a computer on your account, even if it was done without your permission, until you have at least five computers authorized. You just authorize several more, until you hit five. That's where friends, work come in. Once you have five, then you deauthorize all but your personal computer, including the bogus one. Please reread this statement. Five is the magic number where you can deauthorize any or all of the computers on your account! This gets rid of the bogus computer. The rep said it may help keep the hackers from accessing the account again, since their computer is no longer authorized on your account. That's why I posted it here, to possibly help people from being hacked again. That should make this tip relevant.

The time saved is from getting rid of the bogus computer yourself.  Apple won't do it, unless you are persistent. This can take several days. You could take care of it yourself in an hour.

I do take this problem seriously. I was ripped off for $22 from a gift card, which is a lot less than many people who have posted here.  Apple did the right thing and refunded the money. The rep was very helpful and I got some good tips from him. That's why I pass this on, so people can take care of it quickly. If you read all my posts, you can see I've helped several people on this subject.

Also, I'm sure Apple is working to solve this problem. They are losing money, and the confidence of a lot of loyal fans.

I apologize for the short post last time. I should have explained it better so the people who haven't followed this full discussion will understand what I was referring to.

Thanks guys, but if apple is unresponsive I can easily spin up a hand full of VMs, activate them, then flush my activations.  But you only get to do that once every 12 months, so I'd rather let support do it.

I'm much more interested in how the hack works.  Like I said in my post, I don't see the upside for the hacker.  But anyway.. the other interesting question is of course: how was my account compromised in the first place?

Side channel attack leveraging data from the PSN leak?  Maybe, but doesn't fit the timeline of everyone else getting hacked.  This appears to be systemic, and its been going on for a long time.

Rouge password stealing app?  I'd buy this one (pun intended).  I've been trying a lot of free games lately.

Leak inside apple?  also high on the list of probabilities

trojan on my PC? not likley.  Enterprise grade AV/antimalware in place, and I rescanned everything just in case.

Firesheep'd at a starbucks?  I don't know, is itunes access from an ipad vulnerable to HTTP session hijacking? Doesn't seem to fit.

There has to be a pattern here. I'm just not seeing it.

I'm guessing the removal of the credit card info is something the hackers are doing to minimize risk.  The credit card companies are better equiped to track fraud than apple.  And stealing credits from the apple store is less likely to get law enforcement attention than stealing from credit card companies.

Just a guess though.

Hi all

I have had the same problem. Got and invoice this morning for Texas poker chips, Kamagames Ltd saying i had bought chips at £11.99 & £5.99 puting my itunes balance to 50p. so looks like i am took a victim.

What is the best way to contact apple uk about this and hopfuly get it put right.

Many thanks

Michael

I, too, was hacked over the last few days. I had a little over $100 in iTunes Gift Cards in my account. Yesterday, when I went to buy a 14.99 app it said I didn't have any money in my account. I thought that strange but even stranger was that my credit card info was no longer in my account. Then I found the email from earlier in the day for 99.99 of iMobster Favor points! Since I'm the only person that uses my iDevices this is clearly a hack!

I've sent the email to the iTunes team and am now waiting. In the meantime, I had added my credit card info back into the account before realizing what happened. Have since removed credit card info and changed my password. I am also very careful about iTunes authorizations on my 3 computers and noticed I suddenly have 4 computers in my account. I found an old PC and authorized that computer so I could deauthorize all 5 including the hackers account.

Not sure I should submit another message to iTunes or wait until I hear now that I have more details!

What is happening?

bluemc wrote:

 

The problem is you can't deauthorize a computer on your account, even if it was done without your permission, until you have at least five computers authorized. You just authorize several more, until you hit five. That's where friends, work come in. Once you have five, then you deauthorize all but your personal computer, including the bogus one. Please reread this statement. Five is the magic number where you can deauthorize any or all of the computers on your account! This gets rid of the bogus computer. The rep said it may help keep the hackers from accessing the account again, since their computer is no longer authorized on your account.

Note that Deauthorize all will not prevent all previously authorized computers from using content already on that computer.

Only if they attempt to use the iTunes store again with that account will it actually do anything. If an authorized computer is not connected to the internet, how is it going to get deauthorized?

I have also been hacked. I orignally thought that I had accidentally made an in app purchase, but after investigating further I have discovered that this has happend to other people.

$21.24 of my gift card credits are now gone and my credit card information has been taken off of my account. Does anyone know if my credit card is now compromised because of this? I've sent an e-mail to iTunes support is there any chance I will be reimbursed?

Hi, Chris,

I was told that an authorized computer on my account, in this case one that was authorized without my permission, may have an advantage in getting back onto my account. It's not about the content that was downloaded, it is possible protection to keep it from happening again from the same hacker. It's not really deauthorizing the computer itself, but deauthorizing it from the account.

The hackers are using some type of vulnerability in the system and are not using your credit to purchase games or music for themselves. They are using it to sell games to a bogus or genuine developer, then are getting a kickback for their hacking. Or it is the developers themselves that are hacking the accounts to take our money.

I originally thought they were cracking the gift card numbers so it was used by them, then debited from my account. Obviously, they are getting directly into our accounts, so it is a vulnerability in the iTunes Store. This is evident by them almost always changing the city to Towson MD, and deleting the credit card info. There is a college near Towson, so maybe some students are doing it from there. I don't think it's being done in huge numbers, but it is methodical and the items being purchased are slowly changed to other items maybe as Apple closes a developer's account for all the bogus charges.

Melissafromaokforest:  The Apple rep assured me they are not getting the credit card number, as only the last four digits are displayed, and the remainder of the number is protected by encryption. I haven't had any charges made to my credit card after about a month, knock on wood.