Slashdot Mirror
Has iTunes Been Hacked?
An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."
"This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."
At first I thought this was just to spread generalized fear, take a cheap swipe at their competition or even shift attention to something else, but it appears we'll get to see how pervasive this becomes. Perhaps he wasn't completely full of lies ...
My work here is dung.
There are anecdotal reports of some European credit card
companies refusing to accept iTunes charges. Related?
Coincidence, I wonder, that a new 63-page EULA (63 pages Apple, are you serious?) appeared today when I was prompted to update my NASA App. And that the changed terms specifically involved iTunes password expiry and in-app purchases?
More like identity theft.
Nobody ever hacked my cassette deck.
Most of the stuff on
People being overcharged because the accounting software fucked up happens all the time. What would a hacker get out of making someone pay a few extra bucks to Sega, via Apple, compared to both dodging an accusation of faulty billing software that could sour people on microtransactions?
It's highly unlikely this was a hack. If it was reports would be in the hundreds or thousands, not "dozens". Also there would a variety of purchases, not just for one game.
The most likely answer is a keylogger trojan, social engineering or a reused password from a true hacked site (like Sony or PBS). I find it odd that everyone who suggests that in TFA is thumbed down into oblivion as that's the most likely answer.
Also iTunes doesn't bill in real time, so those purchases that "just happened" were likely from days ago.
The author is using phished/stolen itune accounts to buy their game so they can cash out the money.
Nothing too leet.
Looks pretty empty to me.
No mention of keylogging trojans or phishing combined with ridiculous uneducated guessing makes these authors' ramblings pure trash. Apparently all the links are from Betanews, too; I'd like to see Betanews stick to talking about iThings and not security. Choice quotes interspersed with my reactions:
"Apple's iTunes user logs themselves may have been compromised."
All I can think of on this one is the time I had someone tell me that my router had "lost its ARP table".
"... several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data."
I'd hope these same IT employees someday understand the risks of improperly secured personal data by not browsing the web on their own PCs (no Windows implied).
I am posting this comment from Divebus' cassette deck.
Its likely that: They had the same username/pwd combination as either their gawker or their sony password, remember 67% of those two were the same. Based on that I'd wager there are at least a few iTunes credentials that are the same as well
Considering we've seen a story about how everyone is using the same password everywhere, and how Sony got hacked again , exposing even more passwords, is it any surprise that a number of people are having their iTunes and PayPal accounts attacked and drained to buy game gold?
iTunes and PayPal are pretty huge targets, but who'd attack a single game if they had access to the back end?
This morning I fired up iTunes to download a couple podcast before heading into work, and noticed that the balance I had left over from a gift card was missing. I checked out my account billing history and sure enough I had charges for Kingdom Conquest and some in game purchases. I went ahead and called Apple support and opened a trouble ticket to dispute the charges. Hopefully this gets resolved, but this article kind of blew me away...might be just the tip of the iceberg.
I'll put 97% of my money on this. Same logins as used by the hacked Sony accounts. I'm surprised the number of compromises isn't much higher. Alright... everyone change their passwords NOW.
Most of the stuff on
I specifically blocked Itunes in my firewall; it doesn't get to connect to the internet at all. No problems. Amazon is better anyway.
I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.
Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).
I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.
I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.
I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...
This may be unrelated, but yesterday I noticed that my iTunes account had became corrupted with someone else's data. My first name, last name, address and registered CC number became someone else's info. Had I not noticed, I would have been making charges against this other persons account. Maybe someone wrote one messed up database query and screwed up a massive amount of people's payment association. Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
Quite likely actually. It seems these reports surface every few months.
Heck, last year we've had many reports of hacked accounts being used to buy in-app purchases or raise rankings of apps.
So, the options are either a very lowlevel iTunes hack that only seems to steal a few hundred accounts at a time (iTunes has over 250M accounts according to today's keynote), a very big breach of iTunes that someone only seems to be using a few hundred accounts at a time, or, a bunch of people got phished or used the same password.
In fact, I've seen a number of Apple phishing emails over the past few months - usually advertising some Photoshop sale or something. They look pretty real too, but they're phishes (I get them on my non-iTunes accounts).
The general goal is to use in-app purchases of some $99 things to get easy money, and the easiest way is to phish some emails (like the fake Apple ones - honestly, Apple only sends me emails about their products, not about Photoshop... and never about SALES of said product).
Most likely, either a reused password, or a phish. Besides the Photoshop bundle offer, I saw another fake Apple phishing email, but I can't remember for what product. I think it was for an Adobe product though.
From reading up on the user reports of this. It seems this has been happening in this pattern since mid to late May. Apple has inexplicably not said a damn thing (yet), but has been removing credit card details from accounts, and locking some others out. Which indicates they are aware of this issue and dealing with it. Interestingly users report they are having no problems having their balances refunded. The silence is conspicuous, no? I guess this issue getting slashdotted means Apple is going to say something.
/. != a actual real issue.
What worries me is they appear to have known about it for a while and are trying to clean it up as quietly as possible. If this is was a glitch one presume they would admit it in a downplayed fashion. I'd wager it is a BIG hack.
Leaving us with two possiblities:
1) iTunes has been seriously fckued over for teh lulz and profit and is trying to keep it quiet.
2) Or iTunes fraud may have been a constant (but contained) background noise for some while and this isn't much of an abberation. Apple may prefer to live with some level of fraud and patch it up the leaks quietly. Just because it's trending on
Either way, talk about reality distortion.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
because if this turns out to be another widespread hack like the others reccently it'd be the last time I ever buy an Apple product.
What, Steve Jobs controlling every aspect of your life wasn't enough?
Peter predicted that you would "deliberately forget" creation 2000 years ago...
iCloud to iFuckedUp in 3, 2, 1...
My internet on my Mac keeps fucking up lately, it's fine on Windows and Android so it's definitely something wrong with the Mac. This better not be a fucking security fuckup since I do my banking and investing on this shit since it's supposedly more secure....
I'm watching how this develops, I purchased my wife
Was she more than $.99?
Would you buy another?
Have you seen any fraudulent wife purchases on your bill?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It doesn't any more. Log in to your iTunes account and choose None as payment method, and no details will be kept on file. If you don't purchase regularly then it'll be no inconvenience to re-enter them.
I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.
No it doesn't. Sit closer to the monitor next time. I sure managed to setup an account without a credit card attached.
And even if you can't figure out how to not enter a CC# you aren't so dumb as to enter the number from a physical credit card, right? I hope you're at least using a time- and purchase-size-limited CC# that you generated through your bank's website...
Greylisting is to SMTP as NAT is to IPv4
It doesn't - you can open and run an iTunes account without ever using a credit card, only topping it up with iTunes gift cards. No CC ever needs to go near the account.
I prefer to be mystified by things that are actually real. Create an iTunes App Store account without a credit card
Riiiight... Steve is so controlling my life /rollseyes
Alright... everyone change their passwords NOW.
And BOOM goes the dynamite.
I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
Shouldn't this be easy to track? with the transaction ID, can't they see who bought the points in-game. Then find out if it belongs to an ipod or an iphone. If it belongs to an iphone couldn't they track that done and find out who owns it?
More likely it is a vulnerability in the game or iTunes which is being exploited. No need to leap to more far fetched conclusions without some evidence to support it.
Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.
Write boring code, not shiny code!
Ahhh, sir, you just don't get it, or so it seems.
While maintaining the radio button on "Credit Card", there is no way of not entering a credit card number !
Apple is a bunch of thieves that will dry us all out. Blood suckers. How can people live with this ??????
Write boring code, not shiny code!
Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.
I have no issue with the assertion that many people use the same password and id in various places. I do take issue in the automatic association of two hacks when no evidence or reason is known to think there is a connection. Perhaps if every single person reporting fraud says "yes I was a PS3 PSN account holder", the evidence might at least be circumstantial but at present it's just weak conjecture. It certainly doesn't make much sense to believe someone who might have stolen millions of accounts would use them to engage in some minor in-game billing fraud.
It's more likely to be a billing bug, or an exploit specific to the system and game in which it has occurred. The fact it's occuring in one game would suggest that someone is diddling the in-game purchase system. If purchase requests are sent from the client in the clear or some guessable cipher and items can be "gifted" from one iTunes user to another then it isn't hard to see how it may have occurred. I assume the in game points have some value to the scammer, either being a commodity that can be sold to other players or used to make other things that can then be sold.
You don't happen to have a Playstation account with the same username/password, do you?
I refer you to where I said "regretting it slightly", it's the in-app payments that are sucking me dry.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
That seems to be a new feature, thanks. Last time I looked at this the only way to do it was to create a new account. This after all the other crap to hookup my account for Find My iPhone.
My iTunes account was also hacked last September (2010). We just happened to see the incoming charges and immediately stopped payment. Both Pay Pal and iTunes removed the charges from our account. But, the thing that got me off iTunes was the overly sympathetic attitude of the iTunes Apple advisor. He said, "First and foremost, I have to tell you I sympathize with you. I've been through fraud three times, two of which I got no recovery from. I really understand how you feel, the unfortunate part is Apple, nor any company, can 100% guarantee your account safety. In the same way you cannot promise your insurance company you will never have a car accident therefore should pay a much lower monthly payment these sorts of things happen. The people who perpetrate these actions are always evolving and using so many different ways of getting away with this. And sometimes, and I cannot say in your case, the customer has onus in the situation. They may use a password that is easy to guess, they may have spyware/keyloggers on the system that report the password used back to the unauthorized user, inadvertently give out account information through phishing scams and the sort. There are always ways to keep your account as secure as possible, but nothing is 100% and so I cannot possible assure you of that, nor can Apple send you a letter on that. As for why your account was breached, I am just not privy to that information. So, I consulted my superior, who in turn consulted their superior and I have been told we cannot release such information. I am truly sorry. " Funny that. I have since removed my credit card info from iTunes. And, no my password wasn't perfect, but it wasn't bad either. At the time, quite a lot of other users were hacked.
I purchased his wife as well, and was quite satisfied.
Would do business with again. A++.
Learn about Photography Basics.
This!
It is the same with WoW accounts. They hack into poorly secured forums and use the same password and username to log into the game.
Love many, trust a few, do harm to none.
Oh,come now. There have been instructions for a long time on how to not need a credit card for free purchases.
I've had my iTunes account hacked and money siphoned off from my PayPal account via "Allowances". Fortunately, PayPal reversed the charges. Sadly, iTunes was very very quick to shift the blame to other sources (me). My password wasn't a weak password, but it could have been better; it is now. Now I only use gift cards in small amounts on my iTunes account.
I had no viruses, malware, or trojans on my computers (windows OR mac), and this wasn't an in-app purchase. So where'd they get my information? Don't know. *shrug* But this report does make me wonder how secure and stable the iCloud service is going to be.
I removed my card info from my iTunes account when the latest rounds of "iTunes Hacked!" news came out. Mostly as a precaution, since I really just use iTunes gift cards for purchaess. (Yes, I use gift cards - there seems to be a $5 off $25 or $10 off $50 gift card sale pretty damn often, so why pay full price?)
Yeah, Mac owner here, and I was about to have McDonald's for lunch, but Steve wouldn't let me - it's bad for my heart, you see. He sees all, knows all, and prevents us from sin via the control chip all Mac owners have implanted.
Or maybe, you know, Steve doesn't control every aspect of my life. Could be that, too.
I read some of the betanews stories, and noticed one comment to the effect that every victim had an iTunes gift card with an available balance when they got "hacked." If that is the case, it seems like one mighty big "coincidence."
In a sense. About 6 months ago I got an email that my iTunes account had purchased 8 bucks worth of really sketchy-looking apps, which made me a little nervous, so I reported it (mainly because I didn't feel like having those apps show up in my list of purchased items, but also just in case they could track down the actual purchaser, though I didn't think that particularly likely). I didn't have a credit card linked to the account, so they weren't using my money - I assume they were going for some sort of money-laundering, or perhaps testing other peoples' stolen cards or something.
Anyway, when I reported it, they not only removed the weird apps, they also gave me 8 bucks in itunes credit, even though I specifically said not to. Thanks, hackers!