Has iTunes Been Hacked?

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Monday June 6, 2011 @02:24PM from the missony-loves-company dept.

An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."

191 comments

Reminds Me of Something the Sony CEO Said ... by eldavojohn · 2011-06-06 14:26 · Score: 3, Interesting

I recall Stringer saying a lot of stupid crap but when criticized for the delay in his notification of a breach he said something quite memorable to me:

"This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."
At first I thought this was just to spread generalized fear, take a cheap swipe at their competition or even shift attention to something else, but it appears we'll get to see how pervasive this becomes. Perhaps he wasn't completely full of lies ...

--
My work here is dung.
1. Re:Reminds Me of Something the Sony CEO Said ... by jhoegl · 2011-06-06 14:28 · Score: 1
  
  I dont think this is a "breach", it looks more like a social engineering turned trojan/keylogger.
  Dear Apple users,
  
  enjoy.
2. Re:Reminds Me of Something the Sony CEO Said ... by obarthelemy · 2011-06-06 14:53 · Score: 5, Funny
  
  can't be: there are no viruses on Apple. Go ask your local Genius !
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
3. Re:Reminds Me of Something the Sony CEO Said ... by Sprouticus · 2011-06-06 15:00 · Score: 4, Interesting
  
  Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn. But it was still a hack. And it went unreported. It was detemrined that there was no value in reporting the hack since it would affect stock value.
  I am betting that the VAST majority of hack never get reported for this exact reason.
4. Re:Reminds Me of Something the Sony CEO Said ... by wvmarle · 2011-06-06 15:09 · Score: 0
  
  No-one was talking about viruses here. Of course everyone knows there are no viruses on Apple's platform, it's preposterous to even suggest the idea of viruses on Apple's platform. However Apple's users are certainly prone to social engineering. Or are there products really as great as they say they are?
5. Re:Reminds Me of Something the Sony CEO Said ... by wvmarle · 2011-06-06 15:10 · Score: 4, Interesting
  
  So you closed the vulnerability and kept the stash?
6. Re:Reminds Me of Something the Sony CEO Said ... by vajorie · 2011-06-06 15:12 · Score: 1
  
  Or are there products really as great as they say they are?
  I take you mean users when you say products? ;)
7. Re:Reminds Me of Something the Sony CEO Said ... by rAiNsT0rm · 2011-06-06 15:18 · Score: 4, Insightful
  
  I've worked in IT security for a long time and for banks... The sheer number of unreported hacks at banks and at retail stores would blow your mind. People mistakenly get angry at the hackers (which is how the media has trained most everyone to think) when in reality it is almost always gross negligence on the hack-ee side and they deserve the ire.
  
  --
  http://teasphere.wordpress.com - A little spot of tea
8. Re:Reminds Me of Something the Sony CEO Said ... by DurendalMac · 2011-06-06 15:23 · Score: 2
  
  "Dozens" of reports doesn't mean that much. It could have easily been a phishing attack or someone getting ahold of a different online account from said user and they happened to use the same password.
  
  Someone getting access to your account is NOT necessarily a "breach".
9. Re:Reminds Me of Something the Sony CEO Said ... by StikyPad · 2011-06-06 15:59 · Score: 3, Insightful
  
  Or, quite possibly, we're starting to see the impact of the Sony hacks themselves. I'd bet money that the affected people were using the same login information on each service, especially since both services use the same "username": the player's e-mail address. If you're not using unique passwords for each of your services (and especially the for the e-mail account that unifies them all), you're doing it wrong.
  
  --
  https://www.eff.org/https-everywhere
10. Re:Reminds Me of Something the Sony CEO Said ... by Ixokai · 2011-06-06 16:03 · Score: 3, Interesting
  
  Seriously, "mistakenly", "trained"?
  Sorry, no.
  Sure, the companies deserve ire and disdain if they don't take care of our information securely. They even deserve some real civil liability -- a lot more then they're getting now.
  But asshat little fuckheads who go around breaking into said company deserve ire, irregardless of any other ire given.
  Cracking into networks and systems and grabbing data, damaging systems, anything of the sort-- even if they aren't properly secured-- is not noble.
  It its worthy of ire, scorn, and jail time.
  Now, its not worth as much jail time as is being handed out often these days, nor silly, inflammatory words like "terrorism" being thrown around to make it all worse -- and adolescents who are frankly incapable of understanding that being an idiot even though its a rush or fun is dangerous and has real consequences, should be treated like the kids they are, not adults.
  But, no. Its not a mistake to give them all kinds of ire.
  I pretty much hate Sony, for instance. But what the cracker-jackass groups are doing is pretty sociopathic.
  There's no Greater Good involved, thats self-delusion at best. There could have been a way to go about it that may have been ethical, in a vigilante, internet-patriot sort of way. But these data dumps of real, personal information (including usernames and password hashes) is not at all it.
11. Re:Reminds Me of Something the Sony CEO Said ... by pipedwho · 2011-06-06 16:04 · Score: 5, Funny
  
  So you closed the vulnerability and kept the stash?
  Close the vulnerability? Don't be daft man! That sounds like the kind of automatic update that is best left enabled.
12. Re:Reminds Me of Something the Sony CEO Said ... by MobileTatsu-NJG · 2011-06-06 16:09 · Score: 2
  
  No, he accepted more porn as payment for their services.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
13. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 16:12 · Score: 0
  
  AMEN! I may be able to kick over a kid's sandcastle or take his lolly, but it doesn't mean it's completely his fault because he didn't secure it better. I shouldn't have done it in the first place.
14. Re:Reminds Me of Something the Sony CEO Said ... by baldass_newbie · 2011-06-06 16:12 · Score: 4, Insightful
  
  irregardless of any other ire given
  Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
  
  --
  The opposite of progress is congress
15. Re:Reminds Me of Something the Sony CEO Said ... by Penguinisto · 2011-06-06 16:35 · Score: 1
  
  Posting to destroy a mod gone wrong... my bad.
  (stupid 2.0...)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
16. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 16:50 · Score: 1
  
  I knew a guy who ran network ops at a local university. They had an anonymous FTP server that was constantly being tagged and used as a drop point. He had no problem as long as nothing was being encrypted. If the content was encrypted, he felt he was being ripped off and deleted it.
17. Re:Reminds Me of Something the Sony CEO Said ... by jamesh · 2011-06-06 16:52 · Score: 1
  
  irregardless of any other ire given
  Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
  If enough people use it and accept it as valid then it's a perfectly cromulent word, just like all the other words that weren't words 100 years ago. If you want a definition then this might assist you broadening your vocabulary (even though the entry itself state's that it isn't generally accepted as a word :)
18. Re:Reminds Me of Something the Sony CEO Said ... by dakameleon · 2011-06-06 16:58 · Score: 1
  
  (even though the entry itself state's that...
  Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
  (*checks and double-checks before submitting*)
  
  --
  Man who leaps off cliff jumps to conclusion.
19. Re:Reminds Me of Something the Sony CEO Said ... by gmhowell · 2011-06-06 17:15 · Score: 4, Funny
  
  However Apple's users are certainly prone to social engineering.
  Of course I'm prone to social engineering. Why else would I have an iMac. And a MacBook. Two iPods. One iPhone (and two iPods and an iPhone for my kid.)
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
20. Re:Reminds Me of Something the Sony CEO Said ... by gmhowell · 2011-06-06 17:16 · Score: 0
  
  Q: Were Niggers hacked?
  A: No. You see, there are no Niggers on the Internet.
  No women either.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
21. Re:Reminds Me of Something the Sony CEO Said ... by Serious+Callers+Only · 2011-06-06 17:17 · Score: 1
  
  It's OK, I've seen state's on the internet before - here is the justification.
22. Re:Reminds Me of Something the Sony CEO Said ... by gmhowell · 2011-06-06 17:18 · Score: 1
  
  (even though the entry itself state's that...
  Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
  (*checks and double-checks before submitting*)
  I think Alanis Morissette starts playing from your computer when this happens.
  Followed by pedants arguing about that word.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
23. Re:Reminds Me of Something the Sony CEO Said ... by dwightk · 2011-06-06 17:27 · Score: 1
  
  Oxford American Dictionary says differently.
  
  --
  Like anyone can even know that
24. Re:Reminds Me of Something the Sony CEO Said ... by grouchomarxist · 2011-06-06 18:08 · Score: 2
  
  Apparently this word goes back to at least 1874 http://dictionary.reference.com/browse/Irregardless
25. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 18:35 · Score: 0
  
  can't be: there are no viruses on Apple. Go ask your local Genius !
  You do know that computer systems can get cracked without viruses being involved right?
  The sad thing is that Microsoft have set such low security standards that better than Microsoft is seen as good, even where it's not nearly good enough.
26. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 18:51 · Score: 1
  
  Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn. But it was still a hack. And it went unreported. It was detemrined that there was no value in reporting the hack since it would affect stock value.
  I am betting that the VAST majority of hack never get reported for this exact reason.
  I know for a fact that major multinationals cover up not just hacks but all kinds of major serious outages because it would affect their public image. Most of these companies abuse their systems in ways that would make any half competent admin feel sick and they don't care as long as they have 'compliance' with whatever BS happens to be in fashion.
  I can't be the only one here who has seen an active directory cascade failure cost millions a day.
27. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 19:03 · Score: 0
  
  irregardless of any other ire given
  Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
  The guy makes a serious point and you try and derail things with nonsense talk about bad spelling. Agree with him or not his meaning was clear.
  You sir, are a bell-end.
28. Re:Reminds Me of Something the Sony CEO Said ... by tonique · 2011-06-06 19:56 · Score: 1
  
  There might be some dogs, though!
29. Re:Reminds Me of Something the Sony CEO Said ... by Cant+use+a+slash+wtf · 2011-06-06 20:23 · Score: 1
  
  Fine then, be a gashblanab. What do you mean I can't use non-words? If enough people start using it, it will be a word. Then you'll be sorry. In fact, you'll probably feel like quite the gashblanab.
30. Re:Reminds Me of Something the Sony CEO Said ... by pandrijeczko · 2011-06-06 20:24 · Score: 4, Interesting
  
  Also about half a dozen years ago, a CEO in a software company was suffering one way transmission on VoIP calls and as the manufacturer of the VoIP hardware and software, we'd had technicians trying to fix the problem for months - countless hardware was changed, IP stations, etc. etc. because the customer was screaming at my company daily and it had been escalated to the highest levels.
  As a security & network guy, I got dragged in at the later stages, myself and another consultant went through some packet sniff captures when the problem was happening and we eventually worked out that someone from within the software company was trying to do a man-in-the-middle attack to snoop on the CEO's calls, he/she clearly hadn't got it working right and was interrupting one of the transmission paths, hence the problem.
  We emailed the analysis to the customer and showed it was someone in their company causing the problem. From that point on, it went completely quiet - no daily secreaming from the customer, not even an acknowledgement of our emailed analysis.
  I don't know if higher up in my company we billed the customer for all the work we did or if anything was said afterwards but this was definitely hushed very quickly within that software company.
  
  --
  Gentoo Linux - another day, another USE flag.
31. Re:Reminds Me of Something the Sony CEO Said ... by pandrijeczko · 2011-06-06 20:40 · Score: 2
  
  I work in security on Linux-based VoIP telephony systems for the manufacturer of those systems.
  About two years ago, I was contacted by one of our global customers, a big name in the airline industry, because of their Eastern European call centres had suffered toll fraud and they needed an analysis of the cause and additional hardening put on the servers if it was necessary - that in itself was nothing unusual, I do this kind of the stuff all of the time.
  But the interesting part of it was that the request for my services came directly from management people in that call centre and as I started planning what I was going to do and how I was going to do it, it became clear it was a cover-up in that I was being asked to work very discreetly so as not to alert that airline company's head office - in other words, the call centre management were covering up the toll fraud, presumably because they themselves had left security holes on the system when administering them, even from their own head office.
  From my perspective, because the airline company is a global customer of ours, this was a definite conflict of interest - so I stopped planning it there and then and handed it off to our global account manager for the airline company to go and sort out.
  
  --
  Gentoo Linux - another day, another USE flag.
32. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-06 21:23 · Score: 1
  
  irregardless of any other ire given
  Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
  If enough people use it and accept it as valid then it's a perfectly cromulent word, just like all the other words that weren't words 100 years ago. If you want a definition then this might assist you broadening your vocabulary (even though the entry itself state's that it isn't generally accepted as a word :)
  That's because when people say "irregardless" they use it to mean the exact same thing as "regardless", but they are trying to sound intelligent by saying "irrespective". But because they are not intelligent, they just mangle the two together, and the result is the President of the USA saying things like "Edumacation" and making us all, by extension, look like a pack of fucking retards.
33. Re:Reminds Me of Something the Sony CEO Said ... by jamesh · 2011-06-06 22:25 · Score: 1
  
  irregardless About 1,390,000 results
  gashblanab Your search - gashblanab - did not match any documents.
  You have a bit of catching up to do before your exciting new word falls into anything close to common usage. Until then, everyone who uses it is a gashblanab.
34. Re:Reminds Me of Something the Sony CEO Said ... by Cant+use+a+slash+wtf · 2011-06-06 22:39 · Score: 1
  
  Must be right
35. Re:Reminds Me of Something the Sony CEO Said ... by Aceticon · 2011-06-06 22:54 · Score: 1
  
  Many banks (at least in the UK) still use a variant of username+password authentication to access online banking (susceptible to things like keyloggers in the user's machine and phishing, not to mention cryptographical attacks against SSL in old browsers) instead of the much safer challenge-response method using an external pin-device (like this) + banking-card where no kind of password ever gets typed into an unsafe device (a general use, personal PC, used by somebody with little or no IT security training qualifies as an unsafe device).
  This for me is the biggest sign that they're perfectly willing to seriously sacrifice security for the sake of saving a couple of pounds per customer on the pin-device.
36. Re:Reminds Me of Something the Sony CEO Said ... by whiteboy86 · 2011-06-06 23:02 · Score: 1
  
  Companies report breaches only if under pressure from involved 3rd parties like say VISA or MC, otherwise it would spell devastating results for them, the CEO would try to cover up the situation at any cost, no doubt. Just imagine the horror and humiliation to explain this to shareholders, media and investors.
37. Re:Reminds Me of Something the Sony CEO Said ... by ais523 · 2011-06-06 23:02 · Score: 1
  
  Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
  There is, it's called Muphry's Law. (For bonus points, if you bring it up in an argument on the Internet, there's about a 50-50 chance that you'll be incorrectly accused of misspelling its name.)
  
  --
  (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
38. Re:Reminds Me of Something the Sony CEO Said ... by Eunuchswear · 2011-06-06 23:15 · Score: 1
  
  and the result is the President of the USA saying things like "Edumacation" and making us all, by extension, look like a pack of fucking retards.
  Got any evidence that you're not a pack of fucking retards?
  
  --
  Watch this Heartland Institute video
39. Re:Reminds Me of Something the Sony CEO Said ... by Eunuchswear · 2011-06-06 23:18 · Score: 1
  
  Many banks (at least in the UK) still use a variant of username+password authentication [...] instead of the much safer challenge-response method using an external pin-device (like this) [...]
  This for me is the biggest sign that they're perfectly willing to seriously sacrifice security for the sake of saving a couple of pounds per customer on the pin-device.
  Got to hope the pin-device isn't made by RSA
  
  --
  Watch this Heartland Institute video
40. Re:Reminds Me of Something the Sony CEO Said ... by yomammamia · 2011-06-06 23:49 · Score: 1
  
  Lowest hanging fruit; when is it not incompetence?
41. Re:Reminds Me of Something the Sony CEO Said ... by jamesh · 2011-06-07 00:20 · Score: 1
  
  Must be right
  Yep. They're definitely all words in common usage.
42. Re:Reminds Me of Something the Sony CEO Said ... by WrongSizeGlass · 2011-06-07 00:33 · Score: 1
  
  can't be: there are no viruses on Apple. Go ask your local Genius !
  So I guess only iTunes users running Windows have to worry about that scenario?
43. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-07 00:36 · Score: 0
  
  Wow. so you're saying that you agree but you'll find any reason to disagree? This sounds like something that comes straight out of the pissing matches that go on in partisan politics. Maybe you should try to be a lawyer.
44. Re:Reminds Me of Something the Sony CEO Said ... by drinkypoo · 2011-06-07 00:44 · Score: 1
  
  Got any evidence that you're not a pack of fucking retards?
  Our retards don't fuck enough, we have to import more.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
45. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-07 01:37 · Score: 0
  
  Yeah... I kind of hate the whole stock market thing. How many problems (in all fields/industries) can we eventually trace back to "we did it to please shareholders" or something to that effect? And that's ignoring the whole "hey, we could totally mess up the economy and make a fortune out of it" thing.
46. Re:Reminds Me of Something the Sony CEO Said ... by Chardansearavitriol · 2011-06-07 01:41 · Score: 0
  
  So which company was this that had such ludicrously lax security and managment? Do they have a website?
47. Re:Reminds Me of Something the Sony CEO Said ... by Smurf · 2011-06-07 01:49 · Score: 1
  
  Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn.
  Please excuse my ignorance, but... what's geman porn?
48. Re:Reminds Me of Something the Sony CEO Said ... by Chardansearavitriol · 2011-06-07 01:49 · Score: 0
  
  World of Warcraft had a lot of problems, so they tried to convince us all to buy authenticators. While not a 100% solution or anything, it did help stem the tide -- even if only by pushing those folks away onto the less secure accounts. Plus they gave us all puppies!
49. Re:Reminds Me of Something the Sony CEO Said ... by idontgno · 2011-06-07 02:08 · Score: 1
  
  Slashdot is the last place I'd expect someone to argue that a popularity contest is the correct way to decide anything. Huh. I guess you learn something every half hemidemisemifortnight* or so.
  *Yes. 1/16th of 14 diurnal cycles. So I learn something new every 7/8ths of a day. I'm a quick learner.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
50. Re:Reminds Me of Something the Sony CEO Said ... by jamesh · 2011-06-07 02:12 · Score: 1
  
  Sometimes the best way to figure out if something is in common usage or not is to determine if it's in common usage or not...
51. Re:Reminds Me of Something the Sony CEO Said ... by gstoddart · 2011-06-07 02:24 · Score: 1
  
  and we eventually worked out that someone from within the software company was trying to do a man-in-the-middle attack to snoop on the CEO's calls, he/she clearly hadn't got it working right and was interrupting one of the transmission paths, hence the problem.
  We emailed the analysis to the customer and showed it was someone in their company causing the problem. From that point on, it went completely quiet - no daily secreaming from the customer, not even an acknowledgement of our emailed analysis.
  Why does this make me think of the HP fiasco where they were illegal spying on their own people.
  Somehow, I suspect that you stumbled on a similar bit of shadiness from within the company ... and there was no way they were going to acknowledge that.
  
  --
  Lost at C:>. Found at C.
52. Re:Reminds Me of Something the Sony CEO Said ... by dgatwood · 2011-06-07 02:26 · Score: 1
  
  Agree with him or not his meaning was clear.
  No, the meaning is not clear. The prefix "ir" in English words means "not". So to people who actually understand the rules of the English language, "irregardless" means "not regardless".
  If I say "Irregardless of the snow, I'm going outside," it means that I'm only going outside, but only if it doesn't snow. This is the exact opposite of what people who say this made up word actually mean by it.
  Frankly, I find the use of "irregardless" to be confusing as h***. If you mean "regardless", you should say "regardless".
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
53. Re:Reminds Me of Something the Sony CEO Said ... by Gilmoure · 2011-06-07 03:40 · Score: 1
  
  I think Alanis Morissette starts playing from your computer when this happens.
  Damn it!
  
  --
  I drank what? -- Socrates
54. Re:Reminds Me of Something the Sony CEO Said ... by wwfarch · 2011-06-07 03:44 · Score: 1
  
  While I agree with your point it's not unheard of in English. For example, why does inflammable mean flammable? "in" as a prefix usually means "not" but for some reason the rule was broken in this case.
55. Re:Reminds Me of Something the Sony CEO Said ... by Anomalyst · 2011-06-07 04:08 · Score: 1
  
  Please excuse my ignorance, but... what's geman porn?
  I am guessing it involves recordings of carnal acts performed by government bureaucrats wearing g-strings.
  
  --
  There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
56. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-07 05:45 · Score: 0
  
  irregardless of any other ire given
  Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
  If enough people use it and accept it as valid then it's a perfectly cromulent word, just like all the other words that weren't words 100 years ago.
  Then "prolly" and "hella" meet that criteria...
57. Re:Reminds Me of Something the Sony CEO Said ... by Anonymous Coward · 2011-06-07 06:06 · Score: 0
  
  HP isn't exactly a 'software company' but I do recall something coming out of this.
58. Re:Reminds Me of Something the Sony CEO Said ... by Dr.+Gamera · 2011-06-07 06:30 · Score: 1
  
  I try to be prescriptive in my use of language but descriptive in my acceptance of language, along the lines of the data processing principle of producing well-formatted output but accepting a wide variety of input formats. (Occasionally, though, I fall behind the progress of the language as it is used, such as the development that "electrocute" can apparently now mean just "injure with electricity", according to most dictionaries, with the apparent exception of the one I checked before criticizing that use of "electrocute".) My advice for trying to be prescriptive is to say irrespective instead of "irregardless".
59. Re:Reminds Me of Something the Sony CEO Said ... by Smurf · 2011-06-07 06:31 · Score: 1
  
  Please excuse my ignorance, but... what's geman porn?
  I am guessing it involves recordings of carnal acts performed by government bureaucrats wearing g-strings.
  Eeewwwwwwww..... No wonder they didn't want to be caught with such filthy stuff on their own hard drives!
60. Re:Reminds Me of Something the Sony CEO Said ... by intheshelter · 2011-06-07 07:59 · Score: 1
  
  Who was talking about viruses? Based on your reply I would say you are NOT one of the local Geniuses?
61. Re:Reminds Me of Something the Sony CEO Said ... by gmhowell · 2011-06-07 10:13 · Score: 1
  
  Being a tool and being prone to social engineering are not mutually exclusive. In fact, I would say they tend to go hand in hand.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
62. Re:Reminds Me of Something the Sony CEO Said ... by milkmage · 2011-06-07 13:34 · Score: 1
  
  if someone hacked Apple/iTunes.. I doubt they'd keep it quiet.
  with 200 MILLION credit cards, a hell of a lot more people would have seen this if it were a hack.
  10 bucks says this guy has a common username and password.
63. Re:Reminds Me of Something the Sony CEO Said ... by cthulhu11 · 2011-06-07 15:57 · Score: 1
  
  At one point, two acquisitions ago, my employer hired a certain contractor against my recommendations. She did a piss-poor job despite having fifteen years of paper experience - basically couldn't find her ass with both hands. On her last day, I found her trying to snatch a copy of the CEO's home directory and mailbox. That she was the perp was conclusive: she had op'd to root shortly before the tape was written, I knew that she had a compatible DDS drive at home, and the lame invocation of tar was exactly the same as I'd seen her do time and again in the past. I notified management, who did exactly NOTHING. I was pissed.
Re: iTunes hacked? by Anonymous Coward · 2011-06-06 14:30 · Score: 1

There are anecdotal reports of some European credit card
companies refusing to accept iTunes charges. Related?
Too coincidental? by Anonymous Coward · 2011-06-06 14:33 · Score: 1

Coincidence, I wonder, that a new 63-page EULA (63 pages Apple, are you serious?) appeared today when I was prompted to update my NASA App. And that the changed terms specifically involved iTunes password expiry and in-app purchases?
1. Re:Too coincidental? by Culture20 · 2011-06-06 16:14 · Score: 1
  
  Coincidence, I wonder, that a new 63-page EULA (63 pages Apple, are you serious?) appeared today when I was prompted to update my NASA App. And that the changed terms specifically involved iTunes password expiry and in-app purchases?
  Yes, Coincidence. The new EULA items were about children buying wheelbarrows of Smurfberries.
2. Re:Too coincidental? by sconeu · 2011-06-06 16:20 · Score: 2
  
  I tried to get them to email the new TOS, but my wifes iPhone kept trying to spell-check/correct my email address. Why the F*** does it do that to *EMAIL ADDRESSES*??????
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
3. Re:Too coincidental? by multisync · 2011-06-06 17:05 · Score: 1
  
  my wifes iPhone kept trying to spell-check/correct my email address. Why the F*** does it do that to *EMAIL ADDRESSES*??????
  That's so annoying. Blackberrys do the same thing.
  When I activate Blackberrys on our BES, I have to compose an email message first so I can disable 'suretype' and enable 'multitap' or I can't make it halfway through the user's email address thanks to it autocorrecting. Almost as bad as it capitalizing the first letter of every sentance whether you want it to or not.
  
  --
  I don't care why you're posting AC
Most likely not a "hack" by adversus · 2011-06-06 14:35 · Score: 3, Insightful

More like identity theft.
1. Re:Most likely not a "hack" by EastCoastSurfer · 2011-06-06 15:24 · Score: 4, Interesting
  
  Yep. My bank recently called and canceled my CC. The trigger? The number was attempted to be used for a small ITMS purchase. The fraud department at the bank said that buying a 99c song at ITMS is quick way to verify if they have the right info or not. In my case they used the incorrect pin digits from the back of the card and the bank denied the charge, but it must work some of the time.
2. Re:Most likely not a "hack" by Technician · 2011-06-06 16:51 · Score: 1
  
  A 3 digit security code is 1 in 1,000. With a couple of possible tries to get it right for each card before locking it out, your chances are now 1 in 250. With enough compromised account numbers you can find enough valid card combinations to make large purchases at a retailer other than iTunes. Most fraud is for software IP as many merchants won't ship somewhere other than the billing address for the card.
  
  --
  The truth shall set you free!
3. Re:Most likely not a "hack" by hedwards · 2011-06-06 16:54 · Score: 1
  
  Cancelling it is a bit extreme. My CC company has frozen my CC a few times for small purchases like that. But, cancelling it outright would be extreme.
4. Re:Most likely not a "hack" by mikael_j · 2011-06-06 17:31 · Score: 4, Informative
  
  In my case they used the incorrect pin digits from the back of the card and the bank denied the charge, but it must work some of the time.
  Sorry for being pedantic but the card security code (also known as CSC, CVV, CVV2, etc.) is not a PIN code.
  The PIN for Mastercard or VISA cards is a code you as the user must remember, here in Europe it is used pretty much every time you use your card instead of a signature.
  
  --
  Greylisting is to SMTP as NAT is to IPv4
5. Re:Most likely not a "hack" by torako · 2011-06-06 20:51 · Score: 1
  
  Here in Europe? At least in Germany you only need the PIN if you want to use your credit card in an ATM. Using debit cards in stores usually (not always) requires using the PIN, but those cards are not VISA or Mastercards but Maestro/girocards.
6. Re:Most likely not a "hack" by mikael_j · 2011-06-06 21:28 · Score: 1
  
  Well, to be honest I've only ever spent a few hours in Germany. But in those countries I've lived in it is common to use the PIN for both credit and debit cards when buying things in stores or withdrawing from an ATM.
  In my experience (anecdotal of course) the use of signatures is a typically American thing, here in Sweden they're only ever used when the store loses its connection to the payment processor or the bank is having some kind of problem and is unable to verify transactions.
  I've been shocked a few times when merchants have required a signature, although this has mostly been smaller stores run by people who should've retired ten years ago. I just haven't seen it that much in the last ten years or so, even restaurants tend to simply bring out a portable terminal or have you pay your bill at a terminal on your way out these days...
  
  --
  Greylisting is to SMTP as NAT is to IPv4
7. Re:Most likely not a "hack" by torako · 2011-06-08 23:59 · Score: 1
  
  That's interesting. It says on Wikipedia that using the PIN to authorize credit card payments seems to be a Scandinavian specialty. That would be awful for me, I've never used my credit cards' PINs and don't even know them :)
Re:lol by Divebus · 2011-06-06 14:38 · Score: 2

Nobody ever hacked my cassette deck.

--

Most of the stuff on /. won't survive first contact with facts.
Billing glitch? by Bieeanda · 2011-06-06 14:42 · Score: 3

People being overcharged because the accounting software fucked up happens all the time. What would a hacker get out of making someone pay a few extra bucks to Sega, via Apple, compared to both dodging an accusation of faulty billing software that could sour people on microtransactions?
1. Re:Billing glitch? by pandrijeczko · 2011-06-06 20:51 · Score: 1
  
  You need to think like a hacker in order to understand this better.
  No, you are right, this could be about faulty accounting software and we may never know the actual root cause.
  But if it was a hack, then maybe the hacker socially engineered Apple's account code for Sega and that allowed him to perform the hack - it's quite possible that was the only thing the hacker was able to do.
  However, from the hacker's perspective, to be able to boast about hacking into Apple is big karma amongst the hacker community - it doesn't necessarily need to be a huge world-changing hack like Sony suffered to garner that notoriety.
  You also need to be aware that hacking big evil corporations seems to be a cool thing at the moment - so Apple, Microsoft & others being hacked might well be expected.
  
  --
  Gentoo Linux - another day, another USE flag.
2. Re:Billing glitch? by CheerfulMacFanboy · 2011-06-08 06:33 · Score: 1
  
  However, from the hacker's perspective, to be able to boast about hacking into Apple is big karma amongst the hacker community - it doesn't necessarily need to be a huge world-changing hack like Sony suffered to garner that notoriety.
  So has somebody claimed to have hacked Apple yet?
  
  --
  Fandroids hate facts.
Very unlikely that iTunes was hacked... by mkraft · 2011-06-06 14:44 · Score: 1

It's highly unlikely this was a hack. If it was reports would be in the hundreds or thousands, not "dozens". Also there would a variety of purchases, not just for one game.
The most likely answer is a keylogger trojan, social engineering or a reused password from a true hacked site (like Sony or PBS). I find it odd that everyone who suggests that in TFA is thumbed down into oblivion as that's the most likely answer.
Also iTunes doesn't bill in real time, so those purchases that "just happened" were likely from days ago.
1. Re:Very unlikely that iTunes was hacked... by scdeimos · 2011-06-06 15:11 · Score: 2
  
  Also there would a variety of purchases, not just for one game.
  It's not just for one game...
  
  Since Betanews' original report last Wednesday, dozens of readers have e-mailed their own reports of account issues, most dealing with Sega's Kingdom Conquest.
  Additionally...
  
  Nearly every victim had a gift card balance on their account, and some have reported that their credit card and/or payment information had been removed from their account. This indicates that Apple likely is aware of the attacks, and is actively trying to protect its users.
  In all cases, whether they're admitting the hack is occurring or not, users are having little trouble getting their money refunded to them.
2. Re:Very unlikely that iTunes was hacked... by wvmarle · 2011-06-06 15:16 · Score: 4, Interesting
  
  This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.
  Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.
  Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.
3. Re:Very unlikely that iTunes was hacked... by mudimba · 2011-06-06 15:41 · Score: 1
  
  If a keylogger finds its way onto your computer, then all your passwords are essentially toast anyway.
4. Re:Very unlikely that iTunes was hacked... by Anonymous Coward · 2011-06-06 15:56 · Score: 0
  
  RSA two factor authentication. It would be a very good solution but RSA is still milking the enterprise and government cows with that so it will be years before something like that becomes a commodity service. What ever came of the RSA security breach a few months back?
5. Re:Very unlikely that iTunes was hacked... by ColdWetDog · 2011-06-06 16:07 · Score: 1
  
  RSA two factor authentication. It would be a very good solution but RSA is still milking the enterprise and government cows with that so it will be years before something like that becomes a commodity service. What ever came of the RSA security breach a few months back?
  Badness.
  
  --
  Faster! Faster! Faster would be better!
6. Re:Very unlikely that iTunes was hacked... by Culture20 · 2011-06-06 16:20 · Score: 1
  
  What ever came of the RSA security breach a few months back?
  It turned into a Lockheed-Martin security issue recently.
7. Re:Very unlikely that iTunes was hacked... by _Sprocket_ · 2011-06-06 17:02 · Score: 1
  
  Keep in mind that the the story is almost entirely speculation. Something happened at Lockheed. That's all we know.
  The real badness is that RSA has not been very forthcoming about the incident. This opens up the kind of speculation we're now seeing with LM, L-3, and even Northrup / Grumman (though they say they jumped off SecurID shortly after the RSA compromise).
  Just to muddy the waters a bit more... LM is re-issuing SecurID devices.
8. Re:Very unlikely that iTunes was hacked... by pandello · 2011-06-06 18:24 · Score: 1
  
  When you signup at bad site with email: abc@gmail.com password: abc If this is the same as you're gmail password they have instant access. You essentially told them your password.
  
  Using Single sign on like Google or OpenId prevents this.
  
  You have to consider what is the biggest threat. Is it more likely for google to be hacked or your machine getting a key logger? I don't know.
9. Re:Very unlikely that iTunes was hacked... by mwvdlee · 2011-06-06 18:45 · Score: 1
  
  That's pretty much the whole idea behind OpenID; have a single, trusted party handle sign-on. FWIW, if you don't trust anybody, you can easily host your own OpenID service, running on a server or even your own computer (but that requires your computer be adressable from the internet).
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
10. Re:Very unlikely that iTunes was hacked... by Anonymous Coward · 2011-06-06 20:57 · Score: 0
  
  Remember, we're talking iTunes, so we're talking Apple dicks. Of course it's not their fault, it's some PC-using lowlife haxx0r's fault -- indignant down-thumbing is the least response you can expect.
11. Re:Very unlikely that iTunes was hacked... by am+2k · 2011-06-06 21:39 · Score: 1
  
  FWIW, if you don't trust anybody, you can easily host your own OpenID service, running on a server or even your own computer (but that requires your computer be adressable from the internet).
  It also requires that you're better at keeping a server secure than the admins at Google or whatever OpenID provider you could be using.
12. Re:Very unlikely that iTunes was hacked... by Fahrvergnuugen · 2011-06-07 00:09 · Score: 1
  
  It's not practical to expect people to remember a different password for every website. I would rather trust my Mac's keychain and have completely different 18 character passwords for every website, then trust the websites to keep my short 8 character password that I use on every website safe.
  
  --
  Kiteboarding Gear Mention slashdot and get 10% off!
13. Re:Very unlikely that iTunes was hacked... by Anonymous Coward · 2011-06-07 01:02 · Score: 0
  
  Also the password vault would be a really apealing target for a trojan.
  by the by, Who want's to download filevault ultimate super open source edditiion? It's free and totally open source, here's a link to the binaries and if you fish around you can probably find the link to the wall of code that I totally swear is the real source code.
14. Re:Very unlikely that iTunes was hacked... by Anonymous Coward · 2011-06-07 01:38 · Score: 0
  
  is that any safer than re-using a password?
  Yes. If you have different passwords stored centrally you one main point of weakness (Google) and many smaller points (each site). If site gets hacked - no big deal. Throw away that password and start again.
  If you use the same password for each site, when one site gets hacked and they get your credentials it's game over for everything. Change them all.
  I guess it depends how much you trust Google to store your passwords securely and how strong your master password is vs. how much you trust 100 minor websites to look after your password.
  FTR I do neither. I have my own algorithm that generates passwords from websites. I'm sure if you know what you're doing you could reverse engineer it without a huge amount of effort - but seeing as I'm Joe Nobody I think it's reasonably safe..
15. Re:Very unlikely that iTunes was hacked... by CastrTroy · 2011-06-07 02:42 · Score: 1
  
  No, it only requires that you are good enough at securing your server that you aren't worth it for them to hack. Google has to be very good, because there is a lot to gain by hacking their servers. If their servers are hacked millions of account credentials would be lost. If you were hosting your own OpenID server, the only thing lost in a compromise would be your single account. Unless you have some really important information behind that OpenID, most hackers won't spend countless hours trying to break into your server for a single account. Unless your server is vulnerable to some scriptable automatic attack where the attacker doesn't actually have to do anything, then you are probably somewhat safe.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
16. Re:Very unlikely that iTunes was hacked... by Anonymous Coward · 2011-06-07 04:25 · Score: 0
  
  To open the password vault they'd need to upload the vault to a remote server, or risk activity on the victims machine that might give the breach away. If they upload, they'll need to know the vaults path and filename (may not be accessable via a keylogger or screen capture utility) and any other settings that are used, so the attack becomes a lot more complex.
  That's really what it's about - using a vault means a lot more effort is required on the part of the attacker, and as it's not going to significantly bolster their ROI (not enough people using them at the moment) they won't bother - they can use their resources better elsewhere.
  Remember, no security setup will ever be perfect. The trick is to make yourself a prohibitively expensive target.
What Really is Happening by Anonymous Coward · 2011-06-06 14:47 · Score: 1

The author is using phished/stolen itune accounts to buy their game so they can cash out the money.
Nothing too leet.
Don't know if related by Anonymous Coward · 2011-06-06 14:47 · Score: 0

I have seen phishing mail about "issues with your itunes purchase". Don't know if it's related. (the first FA mentions it started with an e-mail).
The person who got the mail doesn't have an itunes account, so I just assumed it was typical phishing.
ifumes @ itunes SoftICE | Yes they were hacked by Anonymous Coward · 2011-06-06 14:50 · Score: 0

No more DRM
SoftICE still works http://en.wikipedia.org/wiki/SoftICE
SEGA's own support forums? by Anonymous Coward · 2011-06-06 14:52 · Score: 1

Looks pretty empty to me.
trash, no mention of phishing or trojans by blueworm · 2011-06-06 14:57 · Score: 3, Interesting

No mention of keylogging trojans or phishing combined with ridiculous uneducated guessing makes these authors' ramblings pure trash. Apparently all the links are from Betanews, too; I'd like to see Betanews stick to talking about iThings and not security. Choice quotes interspersed with my reactions:
"Apple's iTunes user logs themselves may have been compromised."
All I can think of on this one is the time I had someone tell me that my router had "lost its ARP table".
"... several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data."
I'd hope these same IT employees someday understand the risks of improperly secured personal data by not browsing the web on their own PCs (no Windows implied).
Oh yeah? by Anonymous Coward · 2011-06-06 14:59 · Score: 1

I am posting this comment from Divebus' cassette deck.
1. Re:Oh yeah? by ColdWetDog · 2011-06-06 16:04 · Score: 1
  
  I am posting this comment from Divebus' cassette deck.
  A cassette deck running a browser. Cool. Did you load BSD?
  
  --
  Faster! Faster! Faster would be better!
2. Re:Oh yeah? by Anonymous Coward · 2011-06-06 22:09 · Score: 0
  
  kernel panic!
  Press PLAY on tape.
3. Re:Oh yeah? by dgatwood · 2011-06-07 02:30 · Score: 1
  
  Probably. NetBSD runs on just about everything else....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Re:LOL Is hacked slang for consentual buttsecks?? by Xtifr · 2011-06-06 15:00 · Score: 0

Ha-ha, original poster was a FreeBSD fan!
Just kidding--actually, he's a Solaris fan.
Fooled ya! He actually uses The Hurd. Amiga? Plan9? Atari800?...
Gawker/Sony 67% the same, perhaps iTunes as well? by Anonymous Coward · 2011-06-06 15:03 · Score: 1

Its likely that: They had the same username/pwd combination as either their gawker or their sony password, remember 67% of those two were the same. Based on that I'd wager there are at least a few iTunes credentials that are the same as well
Hacking? Easier answers... by Jason+Pollock · 2011-06-06 15:11 · Score: 3, Insightful

Considering we've seen a story about how everyone is using the same password everywhere, and how Sony got hacked again , exposing even more passwords, is it any surprise that a number of people are having their iTunes and PayPal accounts attacked and drained to buy game gold?
iTunes and PayPal are pretty huge targets, but who'd attack a single game if they had access to the back end?
It Happened To Me: by Anonymous Coward · 2011-06-06 15:11 · Score: 1

This morning I fired up iTunes to download a couple podcast before heading into work, and noticed that the balance I had left over from a gift card was missing. I checked out my account billing history and sure enough I had charges for Kingdom Conquest and some in game purchases. I went ahead and called Apple support and opened a trouble ticket to dispute the charges. Hopefully this gets resolved, but this article kind of blew me away...might be just the tip of the iceberg.
Re:Gawker/Sony 67% the same, perhaps iTunes as wel by Divebus · 2011-06-06 15:13 · Score: 1

I'll put 97% of my money on this. Same logins as used by the hacked Sony accounts. I'm surprised the number of compromises isn't much higher. Alright... everyone change their passwords NOW.

--

Most of the stuff on /. won't survive first contact with facts.
Meh. by Celestialwolf · 2011-06-06 15:23 · Score: 1, Redundant

I specifically blocked Itunes in my firewall; it doesn't get to connect to the internet at all. No problems. Amazon is better anyway.
1. Re:Meh. by jo_ham · 2011-06-06 15:35 · Score: 2
  
  That's great, but how does that stop someone else with your credentials logging in from a different computer and buying something?
  I'm going to assume you don;t have a CC on file with Apple (if your iTunes paranoia is anything to go by) but your setup would not help anyone who does.
  My suspicions are that this is due to usernames and passwords being the same across multiple services, so one big compromise (Sony), has led to ID theft on other services, like the iTunes store.
2. Re:Meh. by steve_bryan · 2011-06-06 18:22 · Score: 1
  
  Yep, you have fixed the problem unless THE PERPETRATOR IS IN YOUR HOUSE!! Get out as fast as you can!
  Please tell us you were joking so I can retract this harsh comment.
Happened to Me, in much the same way by raabetj · 2011-06-06 15:24 · Score: 5, Interesting

I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.
Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).
I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.
I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.
I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...
1. Re:Happened to Me, in much the same way by tick_and_bash · 2011-06-07 00:45 · Score: 1
  
  Chances are it's part of a money laundering operation. Buy cards with stolen credit card. Resell cards to buyers. Person with the card needs to purchase songs as soon as possible before someone queries the transactions.
2. Re:Happened to Me, in much the same way by coinreturn · 2011-06-07 01:30 · Score: 1
  
  You could have left the CC info wrong and bought all kinds of software, music, gift cards, etc without "knowing" the CC data had been changed.
3. Re:Happened to Me, in much the same way by Anonymous Coward · 2011-06-07 05:11 · Score: 0
  
  This has been going on since April at least. I had $29.97 in charges for Kingdom Conquest in-game simoleans deducted from my $30 iStore credit on April 20th (which was just two days after I cleaned out my desk and found a bunch of old gift cards.) I got a quick refund but at first the customer support folks said "sorry you didn't receive your in-game items" and I had to email back and forth a few times before they acknowledged that it might have been an unauthorized purchase. I assumed it happened because the username/password was shared with other online accounts and since I re-secured the account the $30 balance has survived for several weeks now.
Data corruption? by Hachima · 2011-06-06 15:35 · Score: 5, Interesting

This may be unrelated, but yesterday I noticed that my iTunes account had became corrupted with someone else's data. My first name, last name, address and registered CC number became someone else's info. Had I not noticed, I would have been making charges against this other persons account. Maybe someone wrote one messed up database query and screwed up a massive amount of people's payment association. Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
1. Re:Data corruption? by CosmeticLobotamy · 2011-06-06 16:42 · Score: 2
  
  Obviously I have no idea what happened in your case, but it gave me an interesting thought. If you have thousands of stolen credit cards (or even just one) but are afraid of getting caught using them, making thousands of other people unknowingly use stolen credit cards by changing their stored data would make for some fantastic plausible deniability.
2. Re:Data corruption? by Hachima · 2011-06-06 17:03 · Score: 1
  
  Yeah, and that was my initial concern too once I saw this other person's information on my account. I checked my iTunes purchase history though, and there haven't been any purchases made other than my own.
3. Re:Data corruption? by OverlordQ · 2011-06-06 17:21 · Score: 1
  
  Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
  Or somebody hacked your account and changed the billing info.
  
  --
  Your hair look like poop, Bob! - Wanker.
4. Re:Data corruption? by Eric(b0mb)Dennis · 2011-06-06 18:23 · Score: 1
  
  This is actually a well known tactic in carding circles.
  After you've used and abused the 'virgin' cards, it's standard fare to spam them in IRC so they are used so much so quickly by so many that you are a needle in the haystack.
  
  --
  Excuse me, I don't mean to impose, but I am the ocean
5. Re:Data corruption? by Anonymous Coward · 2011-06-06 23:49 · Score: 0
  
  Awww pity. My info is still mine :-(
Watching this closely. by w0mprat · 2011-06-06 16:16 · Score: 0

I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.

I'm watching how this develops, I purchased my wife an iPod touch (both regretting it slightly), because if this turns out to be another widespread hack like the others reccently it'd be the last time I ever buy an Apple product.

--
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
1. Re:Watching this closely. by PRMan · 2011-06-06 16:48 · Score: 2, Insightful
  
  because if this turns out to be another widespread hack like the others reccently it'd be the last time I ever buy an Apple product.
  What, Steve Jobs controlling every aspect of your life wasn't enough?
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
2. Re:Watching this closely. by amicusNYCL · 2011-06-06 17:05 · Score: 4, Funny
  
  I'm watching how this develops, I purchased my wife
  Was she more than $.99?
  Would you buy another?
  Have you seen any fraudulent wife purchases on your bill?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:Watching this closely. by Serious+Callers+Only · 2011-06-06 17:35 · Score: 2
  
  It doesn't any more. Log in to your iTunes account and choose None as payment method, and no details will be kept on file. If you don't purchase regularly then it'll be no inconvenience to re-enter them.
4. Re:Watching this closely. by mikael_j · 2011-06-06 17:39 · Score: 1
  
  I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.
  
  No it doesn't. Sit closer to the monitor next time. I sure managed to setup an account without a credit card attached.
  And even if you can't figure out how to not enter a CC# you aren't so dumb as to enter the number from a physical credit card, right? I hope you're at least using a time- and purchase-size-limited CC# that you generated through your bank's website...
  
  --
  Greylisting is to SMTP as NAT is to IPv4
5. Re:Watching this closely. by jo_ham · 2011-06-06 17:44 · Score: 2
  
  It doesn't - you can open and run an iTunes account without ever using a credit card, only topping it up with iTunes gift cards. No CC ever needs to go near the account.
6. Re:Watching this closely. by Anonymous Coward · 2011-06-06 17:50 · Score: 0
  
  I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.
  This isn't actually true, although Apple does go out of its way to make it seem like it is.
7. Re:Watching this closely. by yarnosh · 2011-06-06 18:03 · Score: 1
  
  Riiiight... Steve is so controlling my life /rollseyes
8. Re:Watching this closely. by Pieroxy · 2011-06-06 20:38 · Score: 1
  
  Ahhh, sir, you just don't get it, or so it seems.
  While maintaining the radio button on "Credit Card", there is no way of not entering a credit card number !
  Apple is a bunch of thieves that will dry us all out. Blood suckers. How can people live with this ??????
  
  --
  Write boring code, not shiny code!
9. Re:Watching this closely. by w0mprat · 2011-06-06 22:12 · Score: 1
  
  I refer you to where I said "regretting it slightly", it's the in-app payments that are sucking me dry.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
10. Re:Watching this closely. by lwsimon · 2011-06-07 00:01 · Score: 1
  
  I purchased his wife as well, and was quite satisfied.
  Would do business with again. A++.
  
  --
  Learn about Photography Basics.
11. Re:Watching this closely. by Insightfill · 2011-06-07 02:03 · Score: 1
  
  I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.
  Oh,come now. There have been instructions for a long time on how to not need a credit card for free purchases.
Re:Hacking? Easier answers... by tlhIngan · 2011-06-06 16:39 · Score: 1, Redundant

Quite likely actually. It seems these reports surface every few months.
Heck, last year we've had many reports of hacked accounts being used to buy in-app purchases or raise rankings of apps.
So, the options are either a very lowlevel iTunes hack that only seems to steal a few hundred accounts at a time (iTunes has over 250M accounts according to today's keynote), a very big breach of iTunes that someone only seems to be using a few hundred accounts at a time, or, a bunch of people got phished or used the same password.
In fact, I've seen a number of Apple phishing emails over the past few months - usually advertising some Photoshop sale or something. They look pretty real too, but they're phishes (I get them on my non-iTunes accounts).
The general goal is to use in-app purchases of some $99 things to get easy money, and the easiest way is to phish some emails (like the fake Apple ones - honestly, Apple only sends me emails about their products, not about Photoshop... and never about SALES of said product).
Most likely, either a reused password, or a phish. Besides the Photoshop bundle offer, I saw another fake Apple phishing email, but I can't remember for what product. I think it was for an Adobe product though.
Disturbing. by w0mprat · 2011-06-06 16:46 · Score: 3, Insightful

From reading up on the user reports of this. It seems this has been happening in this pattern since mid to late May. Apple has inexplicably not said a damn thing (yet), but has been removing credit card details from accounts, and locking some others out. Which indicates they are aware of this issue and dealing with it. Interestingly users report they are having no problems having their balances refunded. The silence is conspicuous, no? I guess this issue getting slashdotted means Apple is going to say something.

What worries me is they appear to have known about it for a while and are trying to clean it up as quietly as possible. If this is was a glitch one presume they would admit it in a downplayed fashion. I'd wager it is a BIG hack.

Leaving us with two possiblities:
1) iTunes has been seriously fckued over for teh lulz and profit and is trying to keep it quiet.

2) Or iTunes fraud may have been a constant (but contained) background noise for some while and this isn't much of an abberation. Apple may prefer to live with some level of fraud and patch it up the leaks quietly. Just because it's trending on /. != a actual real issue.

Either way, talk about reality distortion.

--
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
1. Re:Disturbing. by Serious+Callers+Only · 2011-06-06 17:37 · Score: 2
  
  You missed out:
  3) Most iTunes passwords are insecure, and are also used for other accounts like Sony
  Though your option no.2 is a good description of Apple's reaction to the problem. They should probably offer another level of protection like a certificate per device for login.
2. Re:Disturbing. by w0mprat · 2011-06-06 18:30 · Score: 1
  
  Thats a good point but you then forgot 3a) The usernames often the same also, not just the emails. I think use of email as login isn't helpful for security either. It shouldn't be used for anything but password resets etc.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
3. Re:Disturbing. by steve_bryan · 2011-06-06 18:53 · Score: 1
  
  There is nothing disturbing about the results so far unless it is due to a security breach of iTMS. So far it seems more likely that this is the result of people "depending on the kindness of strangers". More explicitly, that users may be using the same username and password for multiple sites. If that is the problem it is hard to imagine what any e-commerce site could do to protect a customer other than requiring credit card information to be entered for each transaction.
  A company can take the reactive position of correcting the issue after email notification alerts the user to the fraud. That seems to be what Apple has done. If iTMS has not been hacked then public announcements by Apple could be very inflammatory without doing anything to correct the problem. Any service with 230 million accounts is going to have some events that require investigation. If Apple has been hacked, they know it and have remained mute, then shame on them. Based on what's been reported so far that does not look likely.
4. Re:Disturbing. by Anonymous Coward · 2011-06-06 22:06 · Score: 0
  
  1. iTunes got hacked and someone is trying to profit.
  2. Someone is using it for fraud.
  Also, you missed:
  3. Money Laundering and/or general Credit Card theft/fraud. Basically it's identity theft- it's like trying to cash a check, but I wrote the check payable to you and used your ID when I cashed it, as opposed to creating a false ID entirely. It takes the cops longer to catch on because they're busy wiretapping your phone, lo-jacking your car, and searching your anus at the airport.
  4. Apple has a massive back-end problem with their database integration, causing user records to become mis-pointed or linked to incorrect accounts.
  And no, this isn't for the Lulz or we'd have heard a lot of chest-pounding and seen a lot of Cock-stroking going on.
  The silence from Apples tells me that this is either a collosal database fuckup that they're too embarrassed to admit, or else someone is using it as systematic fraud and the Feds told them to keep quiet while they track and datamine whoever is doing it.
  I really don't see anything to believe that there was any kind of massive hack, though. We'd see a lot more reports of problems or some public announcement from the black hats.
5. Re:Disturbing. by Anonymous Coward · 2011-06-07 03:09 · Score: 0
  
  Sony accounts that were hacked used your email address and password. The iTunes store does not prompt for the security code of your credit card. It seems to me that the stolen Sony data is now being used to commit fraud in iTunes. Anyone that had a Sony account and an iTunes account with the same email/password, should be sure to change the password asap on not only those services but any that used the same.
iCloud to by virb67 · 2011-06-06 16:52 · Score: 1, Insightful

iCloud to iFuckedUp in 3, 2, 1...
weird by Anonymous Coward · 2011-06-06 17:04 · Score: 1

My internet on my Mac keeps fucking up lately, it's fine on Windows and Android so it's definitely something wrong with the Mac. This better not be a fucking security fuckup since I do my banking and investing on this shit since it's supposedly more secure....
1. Re:weird by Anonymous Coward · 2011-06-06 17:59 · Score: 0
  
  thats what you get for trusting a CORPORATION to care about your security. Apple exists to make money for Apple, not to make pretty things that protect you.
2. Re:weird by Anonymous Coward · 2011-06-07 00:38 · Score: 0
  
  You jelly, bro? I've been using Linux since before you bought your first copy of "Hacking Exposed", fag.
Credit cards on file by Malc · 2011-06-06 17:48 · Score: 0

It mystifies me why we're required to keep a credit card on file for using iTunes. Sure, it makes it easier to buy stuff, but I'd rather they didn't store it. I don't buy many apps any way, and certainly don't need a CC for free purchases. Bad move Apple.
1. Re:Credit cards on file by Anonymous Coward · 2011-06-06 17:56 · Score: 1
  
  I prefer to be mystified by things that are actually real. Create an iTunes App Store account without a credit card
2. Re:Credit cards on file by Anonymous Coward · 2011-06-06 19:56 · Score: 0
  
  You don't need to keep any credit card details in iTunes... Just change your payment method to "None" and you can download the free apps just fine.
  You can also add gift cards to your account if you want to purchase anything, and you'd never need to have any credit card info attached to iTunes.
3. Re:Credit cards on file by Malc · 2011-06-06 22:56 · Score: 1
  
  That seems to be a new feature, thanks. Last time I looked at this the only way to do it was to create a new account. This after all the other crap to hookup my account for Find My iPhone.
4. Re:Credit cards on file by tlhIngan · 2011-06-07 03:54 · Score: 1
  
  That seems to be a new feature, thanks. Last time I looked at this the only way to do it was to create a new account. This after all the other crap to hookup my account for Find My iPhone.
  I removed my card info from my iTunes account when the latest rounds of "iTunes Hacked!" news came out. Mostly as a precaution, since I really just use iTunes gift cards for purchaess. (Yes, I use gift cards - there seems to be a $5 off $25 or $10 off $50 gift card sale pretty damn often, so why pay full price?)
I was Hacked by Anonymous Coward · 2011-06-06 18:29 · Score: 0

3 days ago I loaded up a $25 GC I received onto my iTunes account, this is the first and only time I've ever used an iTunes Gift Card. I had nothing to buy so I just loaded the balance and logged out. Today I went to buy a song and it denied the purchase. Not only was the GB balance gone, but my Credit Card info had been cleared from the account so it the purchase was unable to authorize at all. My Purchase History showed that someone had downloaded the Texas Poker app (free) and then bought the 1.5M chip $19.99 in-app purchase and 100k chip $1.99 in-app purchase. I dug up this 24-page thread on Apple's own support forums (https://discussions.apple.com/thread/2665383?start=0&tstart=0 sorry if this has already been linked above, I didn't look) which seems to indicate this exact behavior of accounts with Gift Card balances being drained has been going on since at least November. Still waiting to hear back from Apple support about getting my balance refunded but passwords have obviously been updated in the meantime.
Re:Gawker/Sony 67% the same, perhaps iTunes as wel by Aeternitas827 · 2011-06-06 18:56 · Score: 1

Alright... everyone change their passwords NOW.
And BOOM goes the dynamite.

--
I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
Last time = user error by Anonymous Coward · 2011-06-06 19:00 · Score: 0

Last time this was a problem, all accounts hacked were accounts that were using the same e-mail and password on multiple websites.
If people are too stupid to use individual password per website, it is their fault. They should stay away from the shabby sites (Like Sony), and if they need to register, use different passwords. It is not that difficult.
For slashdot a good password could be passSLCword - SC = Slashdot.Com. Individual for the site, difficult to guess, and long enough that brute force is made non-trivial. For apple.com people could use passAPCword.
It is very easy to use individual passwords per site. And with 1password, I used 15 chars random passwords everywhere, except my token protected GMail - which I need to access in case i need a password reset or loses 1password.
Tracking by crossmr · 2011-06-06 19:43 · Score: 1

Shouldn't this be easy to track? with the transaction ID, can't they see who bought the points in-game. Then find out if it belongs to an ipod or an iphone. If it belongs to an iphone couldn't they track that done and find out who owns it?
Re:Hacking? Easier answers... by DrXym · 2011-06-06 20:13 · Score: 1

More likely it is a vulnerability in the game or iTunes which is being exploited. No need to leap to more far fetched conclusions without some evidence to support it.
Likelier scenario: by Anonymous Coward · 2011-06-06 20:28 · Score: 0

Idiots misplacing their account info and/or using jackass passwords.
Re:Hacking? Easier answers... by Pieroxy · 2011-06-06 20:30 · Score: 1

Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.

--
Write boring code, not shiny code!
Re:Hacking? Easier answers... by DrXym · 2011-06-06 21:01 · Score: 1

Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.
I have no issue with the assertion that many people use the same password and id in various places. I do take issue in the automatic association of two hacks when no evidence or reason is known to think there is a connection. Perhaps if every single person reporting fraud says "yes I was a PS3 PSN account holder", the evidence might at least be circumstantial but at present it's just weak conjecture. It certainly doesn't make much sense to believe someone who might have stolen millions of accounts would use them to engage in some minor in-game billing fraud.
It's more likely to be a billing bug, or an exploit specific to the system and game in which it has occurred. The fact it's occuring in one game would suggest that someone is diddling the in-game purchase system. If purchase requests are sent from the client in the clear or some guessable cipher and items can be "gifted" from one iTunes user to another then it isn't hard to see how it may have occurred. I assume the in game points have some value to the scammer, either being a commodity that can be sold to other players or used to make other things that can then be sold.
Just a thought but... by BrokenBeta · 2011-06-06 21:59 · Score: 1

You don't happen to have a Playstation account with the same username/password, do you?
I Believe iTunes Acct Info was HARVESTED en masse by Anonymous Coward · 2011-06-06 22:38 · Score: 0

I was also a victim of a hack on iTunes with many similarities to other user reports. I noticed some e-mails in my inbox from iTunes concerning purchases made on a gift card, despite never making purchases on iTunes and only having the account because I was forced to create one. Luckily I never entered any CC info or phone numbers or addresses. I alerted Apple and they immediately froze my account and refunded me back the $9.00 that was stolen (not that I ever planned on using it, actually).
But here is the reason why I don't think this is just an individual account phenomena and that iTunes user info has actually been harvested en masse: Ever since the iTunes account was hacked I have been regularly receiving confirmation e-mails for new accounts being opened on Windows LIVE for XBox, Sony PSN, etc.. using my e-mail address. Now that I am hearing reports from other users as well, I am beginning to think that the iTunes server was breached and that user account info was harvested en masse and is now that information is circulating around the hacker underground. These new account confirmations only started after I noticed my iTunes account was hacked, and I do not own a Playstation or X-Box so I do not have accounts on their networks.
Since the only real information that I had entered in my iTunes account was my e-mail address, this security breach thus far is only proving to be an annoyance of shooting down new accounts being opened under my e-mail address. But I must imagine that people who had entered actual personal information and credit card info must be suffering from some major identity theft issues right now.
my deepest sympathies by x975 · 2011-06-06 23:02 · Score: 1

My iTunes account was also hacked last September (2010). We just happened to see the incoming charges and immediately stopped payment. Both Pay Pal and iTunes removed the charges from our account. But, the thing that got me off iTunes was the overly sympathetic attitude of the iTunes Apple advisor. He said, "First and foremost, I have to tell you I sympathize with you. I've been through fraud three times, two of which I got no recovery from. I really understand how you feel, the unfortunate part is Apple, nor any company, can 100% guarantee your account safety. In the same way you cannot promise your insurance company you will never have a car accident therefore should pay a much lower monthly payment these sorts of things happen. The people who perpetrate these actions are always evolving and using so many different ways of getting away with this. And sometimes, and I cannot say in your case, the customer has onus in the situation. They may use a password that is easy to guess, they may have spyware/keyloggers on the system that report the password used back to the unauthorized user, inadvertently give out account information through phishing scams and the sort. There are always ways to keep your account as secure as possible, but nothing is 100% and so I cannot possible assure you of that, nor can Apple send you a letter on that. As for why your account was breached, I am just not privy to that information. So, I consulted my superior, who in turn consulted their superior and I have been told we cannot release such information. I am truly sorry. " Funny that. I have since removed my credit card info from iTunes. And, no my password wasn't perfect, but it wasn't bad either. At the time, quite a lot of other users were hacked.
Re:Hacking? Easier answers... by Krneki · 2011-06-07 00:52 · Score: 1

This!

It is the same with WoW accounts. They hack into poorly secured forums and use the same password and username to log into the game.

--
Love many, trust a few, do harm to none.
AppleIDs being bruteforced by Anonymous Coward · 2011-06-07 01:30 · Score: 0

2) Or iTunes fraud may have been a constant (but contained) background noise for some while and this isn't much of an abberation. Apple may prefer to live with some level of fraud and patch it up the leaks quietly. Just because it's trending on /. != a actual real issue.
From what I can see, this seems to be the case. Most of the "hacks" seem to be of the "someone guessed/cracked my weak password and used my account to buy stuff" variety.
From what I can see, Apple's biggest problem is it's "AppleID" account system. AppleID is used
1. As your iTunes Store (buying music/video/apps) account
2. As your Apple Store account (buying comptuers/iPods/iPhones)
3. As your Developer account, if you have one
4. As your Online Support/Warranty registration account
5. Automatically created whenever you create a MobileMe (now iCloud) account (your MobileMe account is a new AppleID)
6. Practically anything else you might want to do at any apple.com domain.
There are probably at least a dozen, probably more, different login pages where you can use your AppleID and password. The problem is that all of these various systems don't always talk to one another well. It's pretty common to have an AppleID that is perfectly valid but doesn't work with one system until you email Apple and they do a manual account merge. And I'm pretty sure the brute-force lockout mechanisms aren't coordinated between these systems...and there may be one or two that doesn't have a lockout function at all.
The upshot is, I'm pretty sure there is a cottage industry in stealing AppleID accounts by brute-forcing them against some of Apple's weaker systems. I've read the stories, and they all seem to fit that pattern.
iTunes definitely subject to hacking... by Xyverz · 2011-06-07 03:23 · Score: 1

I've had my iTunes account hacked and money siphoned off from my PayPal account via "Allowances". Fortunately, PayPal reversed the charges. Sadly, iTunes was very very quick to shift the blame to other sources (me). My password wasn't a weak password, but it could have been better; it is now. Now I only use gift cards in small amounts on my iTunes account.
I had no viruses, malware, or trojans on my computers (windows OR mac), and this wasn't an in-app purchase. So where'd they get my information? Don't know. *shrug* But this report does make me wonder how secure and stable the iCloud service is going to be.
CROM! by Anonymous Coward · 2011-06-07 04:02 · Score: 0

Croms frozen balls! he actually used the word cromunlet!!!
Oh, please. by sean.peters · 2011-06-07 04:10 · Score: 1

Yeah, Mac owner here, and I was about to have McDonald's for lunch, but Steve wouldn't let me - it's bad for my heart, you see. He sees all, knows all, and prevents us from sin via the control chip all Mac owners have implanted.
Or maybe, you know, Steve doesn't control every aspect of my life. Could be that, too.
Gift card vulnerability? by Paul1969 · 2011-06-07 15:58 · Score: 1

I read some of the betanews stories, and noticed one comment to the effect that every victim had an iTunes gift card with an available balance when they got "hacked." If that is the case, it seems like one mighty big "coincidence."
iTunes hackers gave me money by neminem · 2011-06-08 04:30 · Score: 1

In a sense. About 6 months ago I got an email that my iTunes account had purchased 8 bucks worth of really sketchy-looking apps, which made me a little nervous, so I reported it (mainly because I didn't feel like having those apps show up in my list of purchased items, but also just in case they could track down the actual purchaser, though I didn't think that particularly likely). I didn't have a credit card linked to the account, so they weren't using my money - I assume they were going for some sort of money-laundering, or perhaps testing other peoples' stolen cards or something.

Anyway, when I reported it, they not only removed the weird apps, they also gave me 8 bucks in itunes credit, even though I specifically said not to. Thanks, hackers!
Theft drom I-Tunes account by Anonymous Coward · 2011-06-10 13:04 · Score: 0

They got our account for about 50 bucks. They bought Gamesloft "Order & Chaos" apps, down to within a dollar of what was in the account.
Is there a way to report this and get some accountability from Apple and or the anti-hacker government in any way. This really disturbs me.
Not the money. More that nobody seems to give a damn.