Slashdot Mirror
Has iTunes Been Hacked?
An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."
can't be: there are no viruses on Apple. Go ask your local Genius !
The Cloud - because you don't care if your apps and data are up in the air.
I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.
Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).
I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.
I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.
I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...
This may be unrelated, but yesterday I noticed that my iTunes account had became corrupted with someone else's data. My first name, last name, address and registered CC number became someone else's info. Had I not noticed, I would have been making charges against this other persons account. Maybe someone wrote one messed up database query and screwed up a massive amount of people's payment association. Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
So you closed the vulnerability and kept the stash?
Close the vulnerability? Don't be daft man! That sounds like the kind of automatic update that is best left enabled.