UPDATE: I called PayPal first thing this morning, and they had already begun the fraud investigation, they reversed the charge and refunded my money, which, in my case, was the credit taken from my iTunes account in addition to the extra money from my PayPal account. Within five minutes of hanging up the phone I had already received e-mail confirmation of the charge reversal, and two more e-mail messages from iTunes cancelling the sale of the app (and the in-app purchase for an additional 9.99) and refunding my iTunes credit.
They complimented me on my quick action for changing all my passwords and unlinking my PayPal account from iTunes, as it helped stave off additional charges. It's a good thing I'm always checking it. I think from now on I'll use prepaid Apple iTunes cards for all my purchases; it's a pain, but at least I'll have some piece of mind.
Still, while I was lucky, this was still a disturbing turn of events. I don't open unfamiliar messages, and I'm always catching phishing attempts. FWIW, PayPal checked all the IP addresses that have accessed my account and verified that my account was in no way directly accessed by anyone other than me and my IP address, stressing that the intrusion came by way of iTunes. Hmmm. . . .
I wish I was this fortunate. Woke up to seven emails - one saying Kingdom Live was purchased on an unauthorized device. Six receipts totaling $400 came next. I called PayPal, my bank, and emailed iTunes legitimately the second I woke up Friday morning (groggy voice and all). The charges were reported as unauthorized and the iTunes rep told me that PayPal had already closed the charges. Today at work, I checked my online banking and the $400 worth of charges were being processed. Checked my disputes from PayPal and they are still awaiting the seller's response. They even sent ANOTHER email for each charge. $400 is a lot of money and a lot of money for me to be out while iTunes takes their sweet time replying. It makes me so mad because I've been a loyal customer for many years and I NEVER thought I would have to worry about my security being breached. I mean, I know stuff happens but the fact that this has been happening for years and they refuse to acknowledge it really makes me mad. Have I mentioned I'm mad?
Let's hope I can get my money refunded. ***** that a hard working 22-year-old just trying to make ends meet has to deal with this BS.
Well now that I got all that sorted, I went out and bought iTunes prepaid cards, which I'm going to use from now on. But I was left wondering: has anyone ever heard of someone's account being hacked even with the prepaid cards, and what, if any, protections exist for those cards? At least with my credit card I'm covered to an extent.
I did a lengthy amount of research on this when I posted my comment and people with prepaid cards were also large targets! It's insane. They seemed to have been refunded but they were targets nonetheless.
Sunday night I wanted a CD for $9.99. I went as far as to buy an iTunes gift card for $10 and use it immediately. My advice would be to buy in small denominations and load up $10 at a time.
Following up on my case, I spoke with an Apple representative today who told me that PayPal had requested charge backs for my fraudulent purchases. PayPal, however, never informed me of this. I am being left completely in the dark. This whole ordeal is a nightmare and it's awful that we have to continuously worry about this because Apple refuses to accept and acknowledge that they have consistent security breach issues. Not to mention the chief of security just resigned. Such a red flag for Apple. It's disappointing.
What bank do you use? The day the charges were cleared on my account (Tuesday, November 8), I called Bank of America and filed a claim against those charges. Yesterday, the charges were reversed and I got my money back. I swear BoA was a godsend in this situation. I think I almost cried this morning when I saw my bank account was back to normal.
In any event, I would give your bank a call when the charges clear and see what they can do. PayPal is STILL trying to resolve the issue, although now that it has been 7 days with no response from iTunes/Apple they are now reviewing the claims. I called PayPal on Wednesday night and the representative said that 99% of the time, large companies like this do NOT respond to claims and therefore you have to wait the 7 response days allotted in order for PayPal to take the next step themselves. However, now that I have my money back I'm not sure how to go about not receiving it again from PayPal. I don't want to cancel my claims but I don't want to be refunded twice (as nice as having an extra $400 would be).
My advice would be to call your bank as soon as those charges clear and try to get them to resolve it. PayPal is really as helpful as they can be, but the process is a long one and seems even longer when you've had such a large amount of money taken from you.
As I mentioned earlier, PayPal reversed my charges and refunded me that same day, my money cleared today. I got an e-mail from iTunes support informing me of the refund of the $20 in credit I already had on iTunes when this all happened. They gave me a transaction/confirmation number, but I haven't seen the money returned to my iTunes account yet. They did say it would take up to three business days to credit, so we'll see.
All that aside, I have to say that the Apple iTunes customer rep I dealt with was very professional, deferential, apologetic, and genuinely cared about my issue. He really took ownership of my problem and saw it through to it's resolution, even sending me e-mail updates throughout the process without me contacting him first.
All too many times, companies get hit for the bad things that happen, and they should. But I also believe it's only fair to give as much attention to them when they go above and beyond to resolve your issue. As misanthropic as I am, I was very pleasantly surprised.
One final thing: there was one thing that caught my attention in the final message from iTunes support that gave me pause:
"A refund for order number XXXXXXXXXX has been issued toyour iTunes account. If you notice that the entire purchase amount of $106.99 (instead of just the $20.12) is returned to your store credit balance, please reply to let us know. You may have to sign out and then sign back into youraccount in order to see the credit posted. Please note that this is a one-time exception to our sales policy. "
While I'm happy with the outcome, I'm concerned about the last line in this quote: I didn't do anything wrong, didn't do anything that was outside of their iTunes security policy, the purchase was proven fraudulent and acknowledged to be so. Then why make it seem as though they're doing me a favor by refunding money that should have been there in the first place? The sad thing is, in the terms and conditions, they have a statement that they're not responsible for loss as a result of fraudulent or unauthorized purchases.
This is why I'm going to always use a prepaid card, and like a previous poster suggested, never keep more than $15, the minimum denomination iTunes card I can purchase. Lesson learned.
Yes, by all means contact PayPal immediately! Also, remove PayPal from your iTunes account and change both your iTunes password and your PayPal password. I did these things immediately, even before I contacted them, and they both said I did the right thing and that it made it much easier for them to process my refund.
In my case, I got my money back from them, both the $20+ credit in my iTunes account and the additional charges to my PayPal account. It took about five days, but I did get my money back.
Don't read too much into that last line regardnig their terms and conditions. They put that language in there to prevent abuse from people purchasing expensive applications and quickly asking for a refund, so that they essentially get it for free. Apple's in the business of making money, and processing refunds like that actually cost them a net loss.
But as you explained, this was clearly a fraudulent purchase. I'm sure Apple will *always* take those seriously and you'll never be stuck with a bad purchase from someone else.
Just curious, was your iTunes account password the same as any other account password you have for other services, like email for example, or was your iTunes password unique? It may not have been a security problem on iTunes' end, but rather a breach somewhere else that leaked your account information. For example, if you had a Playstation account during the hack earlier in the year and you used that same password for iTunes, it's possible someone just went through that list trying them in iTunes one by one until they got a match.
Absolutely not. I never use the same password for any two sites, they're ALL different. I'm always telling people not to do this, including my wife, but people never listen.
FWIW, none of my other accounts have been hacked or violated in any way, probably due to the fact that all my passwords are different.
Thanks i've reported it to paypal.
My ID and password is unique only to itunes so theres no possiblity that it leaked out from another account. Unless somebody hacked my iphone or somebody is leaking personal info at HQ.
I really thought it was somebody at the factory using my iphone4s to buy stuff since it happened the next day i ordered iphone4s online at apple.com. Theres a thread here somewhere I just posted about it.
Its weird because I've never had any identity theft or credit card fraud online for the 13 years i've been using the internet.
I'm guessing its somebody is leaking personal infomation in the company? Maybe in China? If so these things are not uncommon there...
I hope Apple is looking it to it.