Question: Family Sharing Account Hack
Bear with me - it's long because it's very odd and complicated. This post is as much for other's information, as I know people are experiencing the same thing I am about the describe - although I do have some questions (at the end), they aren't urgent as I have mostly resolved this with Apple now (I hope!).
Yesterday I received an email from Apple advising me of an app purchase on a new device. Wary of phishing scams, I didn't click on anything in the email, but immediately logged into my iTunes store on my computer, where I could clearly see that this app had been purchased, and I certainly hadn't been responsible for the purchase.
After changing pretty much every password to everything I could think of, and activating 2 factor authentication (yes, should have done that before), I went through my account in more detail, and worked out several strange things: firstly, someone was buying a stack of "in-app purchases" in Youku in China, but these weren't coming up on my main ID, they were listed in my iTunes under another user - and both my own user account and this second account were titled in Chinese characters. I could access them from a dropdown in the iTunes store on my computer - one account had all my apps that I've downloaded over the years, the other had a stack of Chinese games and other content that was pending processing. I couldn't get much information from this second list - whenever I tried to report an issue with the purchase, I would end up in my personal account online where there weren't any pending purchases, with a message that "something went wrong". Secondly, at some point as I was trying to secure my account, I saw in the account info that my Apple ID was now attached to a family sharing account, with an email that I didn't recognise. When I went to leave this family sharing account, I wasn't able to, getting the message that I couldn't change anything as someone else was the organiser for family sharing. I tried different devices, but all either gave the message that I wasn't the organiser, so couldn't change anything, or the family sharing box was greyed out.
Another strange thing was also that there isn't actually any money in my account - after changing my password etc., I initially assumed the pending purchases wouldn't go through, because there wasn't any cash available, or active card (it was expired). But after an hour or two I started getting confirmations in my Apple-ID email for the pending purchases. When I went back and looked in the store on my iTunes, I could see in the second user ID that had appeared that these apps were being purchased with someone else's credit card, using a fake billing address, and what had to be a fake name (although I won't give it here in case it really is someone's actual name, imagine it being the equivalent of "Old Shakespeare"). It was also very clear that the address was fake, even without looking it up, as it was listed as an Australian address but with the completely wrong format for street numbers, cities, postcode, and so on. It simply couldn't be a genuine Australian address.
At no point did I ever click anything confirming that I wanted to be added to family sharing, and before anyone asks the account isn't set to under 13 or anything else that would enable it to be easily taken over, and the only Apple device I've ever had stolen was a 2007 Macbook that was taken in 2011 - I still own every other Apple device I've ever had. What I find especially odd about this is that a) there is clearly a fake card being used, but for random junk purchases, which makes no sense but also shouldn't be possible with online billing security b) that these purchases are registering with my Apple ID somehow, but aren't actually associated with my personal account and c) that someone has managed to change my family sharing without any notifications coming through to me. Further, when I went into my account, there weren't any changes to my info - my billing address and associated email addresses were all still the same, so it's not even as if these messages were being redirected somehow.
So, naturally, I contacted Apple, who were actually pretty helpful. They escalated my call to a security focused department, and they were able to go in straight away and remove me from the family sharing account. They confirmed that it's a hack/scam, and didn't seem at all surprised by it, or even concerned. But when I asked them how this might have happened, they couldn't explain - the person I spoke to suggested that there may be issues with bots spoofing certain kinds of information, and managing to access people's Apple ID, especially if they don't have 2 factor setup, but didn't go into detail. He just couldn't answer my question as to how someone managed to make these account changes without anything ever coming up in my email account, without any notifications of any kind. This leads me to conclude one of three things - none of which are at all reassuring: firstly, that it's possible to somehow add people to family sharing without their express permission (or any notification), and then use their payment info/cash (if it's there), which would be a huge security loophole; secondly that someone hacked the email account associated with my Apple ID and immediately intercepted emails regarding changes made to family sharing using only that Apple ID (but didn't have my Apple password, ie: they just added the Apple ID to their own family sharing and prevented me from seeing the notifications); another possibility is that someone got my Apple ID password, and changed my family sharing internally, but even that should have sent a notification to my email address. This would mean that it's possible for someone (people or bots?) to somehow avoid these notifications going out from a compromised account in the first place.
All that said, I find it difficult to believe that someone would go to that much trouble just to spend $100 on someone else's credit card to buy games and other crap on Youku. Also, I can't see how they would be able to reliably intercept confirmations and so on using a compromised email - there's nothing in trash, and I get my email notifications on my phone, surely I would have seen something? Surely they would have intercepted the purchase email I saw that made me change all the passwords? There has been no suspicious activity at all regarding my email, or the Apple ID until now, and no logins from new devices or anything else I would have expected to get a notification for if someone overseas was accessing any of my accounts.
So I'm left in bafflement - and not feeling very reassured, given that I have no idea how this was possible at all. Of course, Apple isn't going to tell me in detail over the phone if they know how someone is operating a scam like this, but shouldn't they be warning people now, and trying to close whatever loophole is being used? I guess my big concern is that there's no clear reason to undertake a scam like this, so I'm worried there is more to it, and I'll have to worry about identity fraud and so on down the track. The only relatively harmless thing I can come up with that makes sense is that perhaps people with a stolen phone and/or stolen or fake cards want access to apps and the app store from within China, and using someone's existing Apple ID is a way to do this without being traced or blocked. But even that's a stretch, and I'm just guessing - and it still requires loopholes and sophisticated knowledge - not to mention the details of my Apple ID to start with.
I'm pretty tech savvy (I used to work in app testing for a mobile phone company, including work establishing protocols for security certificates on phones, and I have a good idea of how this kind of login system should work), and am really concerned that Apple has a major breach here, but doesn't seem to be doing anything to prevent it. There just shouldn't be any way for someone to sneak into someone else's account and start doing unauthorised things, even if they did have all my passwords - I should have had notifications coming through of changes. it shouldn't be possible - but weighing up everything, it appears that this is the case.
So, to finish: if you're having this issue, change your password immediately, setup 2 factor, and call Apple to get yourself removed from family sharing. I would also suggest that people don't put their credit card info on the iTunes/App Store, as I'm a very security conscious person and still managed to be hacked, and could easily have had my card charged a lot of cash before I could get anyone at Apple to stop it. They will offer refunds (they initially thought that's what I wanted), but do you really want your info compromised? I'm also weighing up whether to change my Apple ID (mainly because if I change it, I may never see when that particular login is being used again by someone unauthorised), but if it keeps happening, I think that would be a good option.
Lastly, for those who know more about online security than I do: What the **** happened here? Apple ID hack? Email hack? Both? Spoofing to trick Apple servers, redirecting email somehow? An Apple loop hole? Something else I haven't thought of yet? Do I need to worry about Malware (I use Norton, but maybe need better security)? Is there something else I should do (like change my Apple ID, or report the fake card to police or something)?
I've seen people with similar issues, and it's quite a confusing situation. I can confirm that yes you can be locked out of changing family sharing without having clicked on anything or authorised anything yourself, and yes Apple seems to be aware of this, so please don't dismiss people with this issue.
I hope this is helpful for someone, and also that Apple has plans to eradicate this - it really, really shouldn't have happened, and I'm definitely not the only one.