Q: iTunes store account hacked

This just happened to me, appareantly I made some in-app purchases in a game I never downloaded. My address was changed to CA and my credit card removed from my account. Can apple seriously not stop this after so many months of the same thing?

Any ideas why this is happening? I changed my password but it wasn't like I had a very simple one in the first place.

Josh

Still happening...

Just happened to me... 8 purchases each over $44.

Just happened to me this morning.  Got an email that a purchase (798ArtZone for $11.99) had been made on my account from a computer that had not used my account before.  Luckily only have a minimal amount of money left on itunes gift card and no other accounts associated with my itunes account.  Already emailed Apple about getting a refund and have changed my password.  Not sure what good changing my password does when I never gave anyone my original one to begin with.  They can just go back in and steal my new one now too. 

Same thing has happened to me..and apprently also happened the the Massachusetts Attorney General. Martha Coakley has asked Apple to explain what is going on. Now maybe they'll admit there's a problem and will do something. In the mean time, I'm certainly not going to link a credit card to my Itunes account.

I'm curious: is there anyone here that has had this problem who was using a UNIQUE password on iTunes? That is to say, not only is it a strong password (my idea of a strong password being CRA$$Yapp()ll, for example) but it is one that you do not use anywhere else?

IMO, one of the worst problems with passwords is that most people use the same password in lots of places, including on web sites that may well be controlled by or compromised by a hacker. If you have an @me.com or @mac.com email address, and you give them the password, you've just entirely compromised yourself. Even if you don't, they might be able to figure it out or guess it with a little work.

There's another possibility here, too: firesheep, or a similar tool, sniffing the network on some public WiFi connection. I don't know if all Apple Store/iCloud/MobileMe transactions are https, but if they're not, it might really be that simple.

For clarification's sake, I was hacked and the only product in the Apple ecosystem that I own is a iPhone 3GS.  I don't use iTunes on my PC and can't on my Ubuntu partition. The only way my password gets transmitted to Appleland is through the iTunes store ON the actual phone itself.

I've also never had any of my passwords hacked in my 20+ years of PC computing.  Sure, there's a first time for everything, but I'd be surprised.

Perhaps with the Massachusetts AG getting hax0rd, something will come of this.

ok... First off.

People need to READ a little closer to the details.

the Mass AG.... LOST HER CREDIT CARDS.....

http://threatpost.com/en_us/blogs/massachusetts-attorney-general-victim-itunes-s cam-says-shell-demand-answers-092111

"her stolen credit card information was used to make fraudulent iTunes purchases"

"acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire."

100% different from what is happening here in this thread. SHE lost her cards, thieves used that to purchase things on iTunes. she was NOT hacked..

second.

JMuskratt. You JUST used your iTunes password to post here, you don't need an Apple device to use it.

If you have ever posted on the discussions, or ordered anything from the online Apple store.. you used the password.

I never had any password problems before either, 2-3 weeks after posting on the discussion forums here.. I had my iTunes password hacked. Thats why I have always thought it was Apple's website/database that has the security problem, not necessarily on our end.

I know I did.  I was referring to the earlier mention that it was unknown whether the Apple software transmits it in HTTPS.  I know that my session here in Chrome is HTTPS, and thus didn't include it.

iTunes on the 3GS and this discussion forum (via https) are the only ways I interface with anything Apple.

My iTunes was hacked yesterday as well. In all, almost $30.00 was used to purchase apps that I did not authorize. Emailed Apple about the issue. Now awaiting on my refunds.

I have the same prb as well, i just received my itune reciept, it showed there was two transaction for some game credit purchase cost me 39.98 dollars./.., and my credit card info has been removed from the list, apple send me a email regarding unauthorized computer is purchased some app under my account as a notification, but they still processed transaction....how rediculous. ..... i just wrote a email to the support, no reply yet...*** is apple doing

Just happened to me, got an email this morning that purchases were made from devices that were not previously been assoicated with my Apple ID. I've changed my password and sent an e-mail to support for a refund.

Yea i got hacked today i had a 100 dollar gift card in my account that i recieved when i purchased my mac like a week ago and i had used like 9 dollars of it so i had around $91 dollars left i logged on today wanted to rent a movie and i notice i had 1 dollar left in my account so i thinking prolly glitched or something i close itunes and reopen and i see its what i have left They bought some Original gangster **** and i was left with 1 dollar i sent a email waiting for apple to contact me back, It just ***** i got my macbook like a week ago and this happens already. Also my adress info was changed to Ca When im in Miami. =/

Add me to the list as well.  They bought Pearl-in-Palm on my iPhone 4 twice for $9.99 each on 9/20/11 at 10:57pm.

I'm in Ireland and I got hit this morning for the Pearl-in-Palm thing (I don't know what that is and it downloaded onto my iPhone too so I deleted it immediately). I was alerted when I got two emails from Apple saying a computer that was not previously registered to my account had made a purchase. In the past two weeks, I received the education bonus €75 gift voucher for the app store after I bought a new iMac. The hackers took €15.99 from my account and deleted my credit card.

I've changed my password, deauthorized all computers and devices, contacted Apple and alerted the bank. My bank cancelled my card just to be on the safe side. I suppose I'll just have to wait and see what happens. What is going on with this hacking - particularly with accounts where gift vouchers have just been added? My password was secure (or so I thought). It had letters, capitals and numbers and it's unique to my Apple ID.

Apple will tell you their servers are as secure as Fort Knox, but too many people have been hacked who say they never share their PW or computer with anyone for me to believe that.

They need to set up the accounts so that you have to enter your credit card or gift card number for each purchase and nothing is stored on their server.

Also, they need to set it up so that your computer or devise is authorized in a way that makes it verifiable and traceable.

My password was secure (or so I thought). It had letters, capitals and numbers and it's unique to my Apple ID.

Now that's very interesting, because you are the first person here who has explicitly said that they used their Apple ID password for nothing except Apple. That was my guess for how this was happening. (People hacking message boards and other things, and stealing people's passwords that they can somehow tie with an Apple ID.)

It is curious that so many people who have iTunes gift cards are having this problem. One is forced to wonder if there is some mechanism for gaining access to an account if one knows a gift card ID, and if so, whether some of the gift card IDs are pre-compromised. However, I think there are at least some accounts where there have never been gift cards attached at all, so either there is no connection or there are at least two separate methods being used to compromise accounts.

Edit: Oh, now this is interesting. According to a couple of articles I've just read, people are using key-loggers installed by trojans and viruses to capture passwords and usernames for iTunes. If that's true, then the suggestion of several people here to have people input their credit card number or iTunes gift card number every time they want to make a purchase would be HUGELY counterproductive. And it would also explain why some users seem to have actually had their credit card numbers compromised, when it should be essentially impossible to get a credit card number back OUT of the iTMS.