Anatomy of an iTunes Store account hack

Anatomy of an iTunes Store account hack

Summary: An inside look at what happens when hackers get a hold of your iTunes Store account credentials.

TOPICS: Apple, Hardware, Mobility

ZDNET's Adrian Kingsley-Hughes reported on Hardware 2.0 that there's been a rash of iTunes account hacks recently. Nefarious hackers have compromised iTunes accounts containing credit card information, linked PayPal account information, and many with gift certificate balances have been completely wiped out.

While wading through a 1600+ reply thread on Apple Discussions I received an email from a colleague who relayed a similar story of his iTunes account getting hacked while he slept overnight:

I woke up this morning to let our puppy out and glanced at my Gmail inbox on my phone. I had an email from with the subject “Your account has been limited until we hear from you.”

PayPal warning email - Jason O'Grady

I assumed this had something to do with BillMeLater because I made a ~$500 purchase using BML within the last month. But then again, I have a ~$2k BML credit line and always pay it off well within the required period so this was just pure speculation.

Once I logged into PayPal, I noticed seven iTunes purchases all made around 3:45 a.m. Here's a screenshot of the iTunes purchases that were made on my account while I slept:

iTunes Store fraudulent purchases - Jason O'Grady

I use the iTunes Store mostly for music purchases but I never make seven random purchases like that – especially at 3:45am. By the time I logged into Paypal, they were already all over it. All seven of the transactions were on-hold and it said “Awaiting Seller’s Response”…which I assume meant iTunes. I had no idea what was going on behind the scenes but I can only assume PayPal was reaching out to them to determine whether this pattern of charges was consistent with other fraudulent activity that has been taking place via iTunes with a linked PayPal account.

PayPal account fraud quickly investigated - Jason O'Grady

My password was strong as it consisted of an uppercase, lowercase, numbers, and was eight characters long. However, I haven’t changed the password for a few years. I’m bad with changing password unless prompted to do so. Guess I really need to change this mindset going forward. It appears that the hacker bought a combo of apps and videos (Project Runway, Season 8).

One lesson I learned in all this was to remove my checking account as the payment source in PayPal and switch it to a credit card.

I ended up filing a PayPal dispute for each of the seven transactions. Five of them have been reversed as of now. I received an automated response for each one that was reversed just stating what their decision was. Two are still under review by PayPal.

There were no signs of ‘Kingdom Conquest” in the iTunes Purchase History as was noted in the blog post by Adrian Kingsley-Hughes on ZDNET on May 12, 2012.

All of the fraudulent charges on my iTunes/PayPal account were apparently gifts for “ffffffffff.” (that’s 10 f’s -- presumably to prevent you from counting).

Moving forward, Apple should provide more information to the victims of such attacks. Saying simply “we have reversed the purchase” isn't enough. I'd like to know how much information was accessed, for example, is my bank info now potentially in the hands of a hacker? Or was the breach limited to iTunes accounts w/ linked Paypal accounts? Also, it would be helpful to know how this breach occurred. Also, what is being done to address it since this clearly isn’t an isolated case.

I asked these questions to Apple when I reported the problem though I assume I’ll get a vague response similar to how PayPal responded.

Update: R. Emory Lundberg adds some interesting color in a comment on Facebook:

In most instances I've seen this occur it is because either:

  • The account is brute forced or the same email address/password pair is used elsewhere and they've been compromised,
  • The user has had their iPhone or iPad/iPod on an open wireless network and someone snarfs their session and/or credentials

That second one is interesting because many people just configure MobileMe/.Mac/iCloud accounts as IMAP and don't force it to use SSL or TLS and are doing plain-text SMTP or IMAP and leaking their account information that way.

Also, any email account associated with an iTunes account can be used like this, many people have several. The AppleID site can show you what addresses are valid for your AppleID. In my case I have $, $, and then a $ and my personal email accounts for FaceTime et al.

Topics: Apple, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Avoid iTunes like the plague

    Despite being an Apple fan and Mac user, I completely stopped using iTunes a long time ago due to my account getting hacked (despite a strong password) and then the total lack of any support from Apple or iTunes. E-mailing iTunes support led to long waits for responses and then only "canned" boiler-plate answers that had nothing to do with my inquiries, impossible to communicate with a "real" person, no phone support, etc.

    Conclusion: iTunes is "dangerous", I now use other vendors to get my media.
    • Most likely this person was hacked in some other way.

      Obviously, the overwhelming majority of users are not hacked. By this logic, any avoid the internet or using credit cards as this is "dangerous".

      No issues here.
    • I stick to CDs

      Until iTunes offers lossless format I'm not interested.
      Laraine Anne Barker
      • Off topic

        And this has what exactly to do with the topic?
    • And....

      And this is besides the vulnerabilities in the software!
  • Err...

    The way I read this using PayPal seems to have helped. Most of the transactions have been reversed, and there seems no reason to suppose the rest won't be reversed.

    Am I missing something?

    Of course, PayPal could help here - putting all the transactions into one claim would help. Apple could help, not allowing "gift" purchases against a known payment method (yes a HUGE pain to have to have to type those details if you want to send someone a gift - but safer).

    Is this just "brute-force" hacking? Or is something more insidious happening? Clearly this affects a lot of people, any follow-up to this would be very interesting.
    • Yeah, you're missing the fact that

      Apple and iTunes were involved therefore it's all Apple's fault. And I'll lay money right now that the person referenced in the article was phished and that's how his account was hacked. Or his "strong password" was his name followed by two numbers.
      • I'm the colleague referenced....

        and I'm not upset with PayPal one bit. They were already looking into the case before I knew what was happening. I have a good feeling my info was somehow phished, perhaps at some point over an open wifi connection of sorts (Great info from R. Emory Lundberg at the end of this blog post!).

        Apple/iTunes responded to me late last night and while the email was lengthy, it was the typical generic response telling me to change my password, remove my payment info from my iTunes account, etc. I'm admittedly surprised that they're asking me to remove my payment info from my account as that's only going to drive away sales. That's a band-aid approach to the situation. Perhaps beef up security measures and revamp the checkout process (and all of iTunes for that matter). To Apple's credit, they did say that they'd corporate with me if provided a subpoena - but then again - it's not like they'd have much of a choice.

        As rhonin commented, it's a big concern when companies are ambiguous and dance around the fact that these aren't isolated cases, yet there seems to be little concern or effort being made to address the situation properly.

    FWIW: After having a problem with Paypal service with a disputed purchase, I never use them anymore. Much easier to deal directly with my card issuer due to Federal laws regarding disputed purchases.

    NEVER use a debit card in this situation either as it is tied to your checking account and can take a very long time to restore lost funds, if ever.
  • This is NOT an "Anatomy of an iTunes Store account hack"

    It is simply a statement that such a hack happened to "a colleague" and what they're doing post account hack.

    Yes, there are a few hints about general computing and account safety. However, there is not a bit of investigation about the actual process of the account hack.

    Your title is just click bait.
    • Exactly!

      There isn't any mention of Apple ids that are now required to have more security questions to prevent this from happening in the future. While there might be something like a rogue app that is harvesting your id & password thru in app purchases, or you could be connecting to a free wifi network that actually is a man in the middle who is spoofing an open public wifi network. If you are suspicious of public networks, just ask whoever is providing those like Mcdonald's or Starbuck's what the wifi network name is. Don't just assume it.
      • Now that you mention that, I just had

        to have answers for 3 security questions last week for Apple for my Itunes account, I want to say it was over the weekend I had downloaded a couple of new songs..I was wondering what had prompted that action, so maybe they're taking steps to increase security??
  • Biggest Concern

    Is the ambiguous or complete lack of info from PayPal and Apple.
    Things like this can/will happen. At least give me info so I an look,for ways to better protect my "stuff".
  • I Was Hacked

    Luckily it was just a gift card balance, but it was almost $100 that they used up, as everyone else has said, while I was asleep. The hacker was in China, and while no one at iTunes tried to stop them, they did send me an email about "suspicious" activity on my account.

    The good part was that I called iTunes, and they were really very helpful. It was obvious that I hadn't left the country just to fake attack my own account and was able to make it back from China to the US in a matter of hours so that I call and complain. They had it resolved, the full amount back on my account within minutes, after a mandatory password change.

    But I had learned a long time ago, not to leave debit or credit card information sitting there in my account information. If I pay by credit or debit, after I've finished the transaction, I go back and delete the payment information. It's a small pain to re-enter every time you make a purchase, but definitely less painful than being tied up, trying to deal with the bank, PayPal, or the credit card companies, after this kind of thing.
  • Verified by Visa type things should be enforced

    a couple of places I use online are part of the "Verified by Visa" program. To complete a purchase, a second password, stored at Visa is required. I have to enter it in at the time of purchase. If that matches, Visa approves the transaction.

    The hacker would have to not only hack into my account at the online merchant, they would have to hack into Visa to get the second password, as it's not stored on the merchant's servers. What are the chances of that?

    Unfortuneatly, it is not mandatory, instead an option the merchant would request, which many don't seem to be interested in doing.
    William Farrel
    • William, that sounds like it's a good

      idea. Do you know if this is just for Visa, or do other companies like Mastercard, AE, also have simular programs?

  • PayPal Stinks

    Honestly, this is why you should NEVER use PayPal, if this were a credit card, all of the charges would have been reversed already.

    Also, I recommend using a prepaid card, with most of them, if you deposit funds electronically from your bank and meet certain requirements, there will be no fees at all. This way, the maximum you can loose is the balance on the card.
    • I actually have a separate debit account that I use exclusively online

      I only move in the amount that I'll be using (plus like 20 more, just in case) then make the transaction.

      This way if it's hacked, they get next to nothing, and I don't really lose anything. I'm a "use cash when you can person", never been much of a credit card person, though I do have credit cards.
      William Farrel
  • What Happened? Apple Needs to Inform Users

    This happened on my credit card as well. I called the credit card company and they contacted Apple. Apple acknowledge that it was not me who made the purchases, but they declined to say who it was. This happened to me many times. I deny the charges, I get credited back and get a new card. I wait awhile, charge at several places to see which place had got a hold of my credit card info. Nothing, so I register it on iTunes, that night, it happened again. So each time, I have to wait for a new credit card.

    I told my credit card company to not allow iTunes purchases. I got my new card (I only use one card for on-line purchases) and now I only buy iTunes gift cards and make my purchases via them.
    • Don't think it's iTunes

      Sounds to me like you have another security issue rather than iTunes. If it was iTunes then it would have continued with the gift cards.