Watch your iTunes accounts! App Farms being used to steal.
iTunes accounts hacking more widespread than initially thought. The facts, and what you should do.
By Zee Follow Zee on twitter on July 4th, 2010
On Sunday we reported details of how one specific app developer had managed to hack iTunes users accounts and use them to purchase his own apps – making it to the top of the iTunes charts.
As the story has developed, the problem has grown far more serious than initially thought – not just that one particular developer and his apps - the Apple App store is filled with App Farms being used to steal.
This post will give a complete run down of what we know and will be continue to be updated as we learn further details.
Folks this is still happening, and it's becoming pretty widespread it seems like. There is a MASSIVE thread on Apple Support about this, currently at 90 pages. It was started in November 2010, but nearly 25% of the posts have come in the past month, from about page 70 onward.
Folks this is still happening, and it's becoming pretty widespread it seems like. There is a MASSIVE thread on Apple Support about this, currently at 90 pages. It was started in November 2010, but nearly 25% of the posts have come in the past month, from about page 70 onward.
Apple Support Communities are user to user, not technical support. I take the support community with a grain of salt, where literally anyone can post and there is little responsibility or verifiability to any post there. Not all the posts, of course, are from people who have had accounts hacked.
In a large community with above average income (stats for apple owners) I suspect people also have equally bad password practices. All of these reports seem to point to the users credentials being harvested, not the servers being attacked.
IE have a good password, don't give it out and change it once and a while.
Are y'all seriously saying it's the users' faults? Why would people post in that thread about their accounts being compromised if it didn't actually happen to them? I HAD a strong password composed of a jumble of letters and numbers. Now I have even stronger PW incorporating upper and lower case and other symbols. There is no way someone could have "guessed" my password.
Check this first post on page 77, where a user refers to some program called "Apple Hack" that is being used to break into accounts. I believe that post was previously removed by Apple, and then MadScientistZ reposted it there, probably from his e-mail notification (removed posts still appear in e-mail to those who are subscribed, before they are removed from the thread).
Check this first post on page 77, where a user refers to some program called "Apple Hack" that is being used to break into accounts. I believe that post was previously removed by Apple, and then MadScientistZ reposted it there, probably from his e-mail notification (removed posts still appear in e-mail to those who are subscribed, before they are removed from the thread).
Are y'all seriously saying it's the users' faults? Why would people post in that thread about their accounts being compromised if it didn't actually happen to them? I HAD a strong password composed of a jumble of letters and numbers. Now I have even stronger PW incorporating upper and lower case and other symbols. There is no way someone could have "guessed" my password.
Check this first post on page 77, where a user refers to some program called "Apple Hack" that is being used to break into accounts. I believe that post was previously removed by Apple, and then MadScientistZ reposted it there, probably from his e-mail notification (removed posts still appear in e-mail to those who are subscribed, before they are removed from the thread).
No, I am saying that the Apple Support Communities are user to user forums open to anyone to create an Apple ID and post, there is no way to verify any claims.
Are y'all seriously saying it's the users' faults? Why would people post in that thread about their accounts being compromised if it didn't actually happen to them? I HAD a strong password composed of a jumble of letters and numbers. Now I have even stronger PW incorporating upper and lower case and other symbols. There is no way someone could have "guessed" my password.
Check this first post on page 77, where a user refers to some program called "Apple Hack" that is being used to break into accounts. I believe that post was previously removed by Apple, and then MadScientistZ reposted it there, probably from his e-mail notification (removed posts still appear in e-mail to those who are subscribed, before they are removed from the thread).
And not every hack is Apple being hacked, sometimes it's your own computer or if you have an iphone, iPod or iPad and you jailbroke it, any number of cydia or other non App Store acquired apps could actually be harvesting your passwords. It's been a long time since I had a new device, but (on a computer at least, not sure about iDevices) don't you have to verify that computer and authorize it before it can use your iTunes account? so obviously they're getting more information than just your password. Likely a link got malware or spyware into their computer and got their account info that way, or got into their jailbroken idevice. I'm not saying that Apple couldn't possibly have been hacked, because it absolutely is totally possible, but more likely the user themselves got hacked. iTunes is the most popular music store on the internet, so obviously people are going to be targetting people who have itunes. And it's way easier to hack someone's computer than itunes itself.
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)
A large number of reports in that thread describe people redeeming iTunes cards, then getting hit within a few days for an amount almost equal to the entire card, which is what happened to me. They seem to only be targeting accounts with a credit balance. Also the purchases being made are either Chinese or other Asian-language apps, or in-app purchases for gambling or role playing games. There's just too much commonality there for it NOT to all be related.
As for computer authorization, as long as there aren't already 5 computers authorized, anyone can authorize any computer to make purchases on your account if they have your user ID and password.
What is most troublesome to me is that when my account was compromised and an unauthorized purchase was made, I got an email from Apple saying a purchase was made with a device not associated with my account. Yet they still let the purchase go through until I disputed it. They knew it wasn't any of my devices and yet did nothing to stop it. Almost everyone who has posted in that thread on the last 20+ pages reports getting the same email from Apple. It's obvious Apple has a problem with security, yet they take no responsibility for it and seem to be in no hurry to address this issue.
Last edited by PatrickGSR94; 03-13-2012 at 12:18 AM.
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)
A large number of reports in that thread describe people redeeming iTunes cards, then getting hit within a few days for an amount almost equal to the entire card, which is what happened to me. They seem to only be targeting accounts with a credit balance. Also the purchases being made are either Chinese or other Asian-language apps, or in-app purchases for gambling or role playing games. There's just too much commonality there for it NOT to all be related.
As for computer authorization, as long as there aren't already 5 computers authorized, anyone can authorize any computer to make purchases on your account if they have your user ID and password.
What is most troublesome to me is that when my account was compromised and an unauthorized purchase was made, I got an email from Apple saying a purchase was made with a device not associated with my account. Yet they still let the purchase go through until I disputed it. They knew it wasn't any of my devices and yet did nothing to stop it. Almost everyone who has posted in that thread on the last 20+ pages reports getting the same email from Apple. It's obvious Apple has a problem with security, yet they take no responsibility for it and seem to be in no hurry to address this issue.
Hold on, what is the obsession with Apple Community Support forums? They are user to user only. Apple takes no liability for what is posted there and doesn't provide technical support or customer service through their user to user forums. It is user to user only. Read the terms of service for the Apple's Community Support forums. If you want Apple's technical support or direct help, use the proper channels. Contact Apple customer support or go to an Apple store, even their online customer service or Apple Care.
What's interesting about that Apple's Support forums topic, is that people are claiming their iTunes account and logins are being hacked and compromised. Both the Apple Community Support forums and iTunes use your Apple ID account to log in. How can people log in to the Community support forum if their account is compromised?
It doesn't matter what forum it's on. I just happened to find that thread through a Google search of "itunes account hacked" after my account was hit with fraudulent, unauthorized purchases. I'm just trying to bring awareness to the issue, the issue that thousands of accounts are getting hacked, more and more every day, and Apple is not doing anything to try to prevent it from happening. It's well known that there is no support from Apple provided through those forums, and there is speculation as to how much Apple employees even read those forums.
It's most definitely not the customers who are at fault here. Many people are getting hit with these unauthorized purchases - people even with super-strong cryptic passwords. People like me who have been around computers and the internet long enough to KNOW not to enter ID's and passwords from e-mail links (that's just dumb). All I did was redeem a $25 gift card on a Thursday (using my PC), purchase a $1.99 fitness app from a highly-rated and well-known developer on Sunday (MapMyFitness) using my iPhone, and some time after Midnight on that Monday my account was cleaned out to about $1 left. The free RPG app Galaxy Empire was downloaded on some other device, and an in-app purchase of $19.99 in game credits was made. There was absolutely, positively NO breach of security or information from my end.
The interesting thing is that many of these occurrences have happened to people that don't even have an iPhone or iPod Touch and don't purchase apps at all, ever (people with regular iPods only, for instance).
I can tell you that when my account was compromised, I immediately changed my password, and contacted Apple about it. Then they disabled my iTunes account, at which point I had to change my password a second time. During that entire time I was still able to log into and post on the Apple support forums. Apparently having your account disabled prevents any purchases, but does not prevent logging into the support forums. Indeed, I was still able to log in and view my account details in iTunes even with the account disabled.
Here's another thing: it appears that these hackers are mainly targeting accounts with credit already on them, and most of the time the payment information tied to the account is changed or removed. In my case, my credit card was removed. I do not believe my credit card was breached, however. Some say it's because the perpetrator does not have the CC's security code, so they just remove it completely from the account. But I monitor my bank and CC accounts daily and will take quick action if I see anything there.
The fact that accounts with store credit are being targeted, and similar or identical apps and in-app purchases made for so many of these instances, really points to a security problem with Apple. I think the whole thing could be solved with stronger security protocols as it relates to authorizing devices to make purchases on an account.
It doesn't matter what forum it's on. I just happened to find that thread through a Google search of "itunes account hacked" after my account was hit with fraudulent, unauthorized purchases. I'm just trying to bring awareness to the issue, the issue that thousands of accounts are getting hacked, more and more every day, and Apple is not doing anything to try to prevent it from happening. It's well known that there is no support from Apple provided through those forums, and there is speculation as to how much Apple employees even read those forums.
It's most definitely not the customers who are at fault here. Many people are getting hit with these unauthorized purchases - people even with super-strong cryptic passwords. People like me who have been around computers and the internet long enough to KNOW not to enter ID's and passwords from e-mail links (that's just dumb). All I did was redeem a $25 gift card on a Thursday (using my PC), purchase a $1.99 fitness app from a highly-rated and well-known developer on Sunday (MapMyFitness) using my iPhone, and some time after Midnight on that Monday my account was cleaned out to about $1 left. The free RPG app Galaxy Empire was downloaded on some other device, and an in-app purchase of $19.99 in game credits was made. There was absolutely, positively NO breach of security or information from my end.
The interesting thing is that many of these occurrences have happened to people that don't even have an iPhone or iPod Touch and don't purchase apps at all, ever (people with regular iPods only, for instance).
I can tell you that when my account was compromised, I immediately changed my password, and contacted Apple about it. Then they disabled my iTunes account, at which point I had to change my password a second time. During that entire time I was still able to log into and post on the Apple support forums. Apparently having your account disabled prevents any purchases, but does not prevent logging into the support forums. Indeed, I was still able to log in and view my account details in iTunes even with the account disabled.
It does matter. Apple's community support forums is definitely not, in any way, a scientific head count or tally of any issue reported there. Welcome to the internet. There is no way for you or I to validate any of those claims.
Reply With Quote
Originally Posted by PatrickGSR94
Bookmarks