Anatomy of an iTunes Store account hack

An inside look at what happens when hackers get a hold of your iTunes Store account credentials.
Written by Jason D. O'Grady, Contributor

ZDNET's Adrian Kingsley-Hughes reported on Hardware 2.0 that there's been a rash of iTunes account hacks recently. Nefarious hackers have compromised iTunes accounts containing credit card information, linked PayPal account information, and many with gift certificate balances have been completely wiped out.

While wading through a 1600+ reply thread on Apple Discussions I received an email from a colleague who relayed a similar story of his iTunes account getting hacked while he slept overnight:

I woke up this morning to let our puppy out and glanced at my Gmail inbox on my phone. I had an email from service@paypal.com with the subject “Your account has been limited until we hear from you.”

I assumed this had something to do with BillMeLater because I made a ~$500 purchase using BML within the last month. But then again, I have a ~$2k BML credit line and always pay it off well within the required period so this was just pure speculation.

Once I logged into PayPal, I noticed seven iTunes purchases all made around 3:45 a.m. Here's a screenshot of the iTunes purchases that were made on my account while I slept:

I use the iTunes Store mostly for music purchases but I never make seven random purchases like that – especially at 3:45am. By the time I logged into Paypal, they were already all over it. All seven of the transactions were on-hold and it said “Awaiting Seller’s Response”…which I assume meant iTunes. I had no idea what was going on behind the scenes but I can only assume PayPal was reaching out to them to determine whether this pattern of charges was consistent with other fraudulent activity that has been taking place via iTunes with a linked PayPal account.

My password was strong as it consisted of an uppercase, lowercase, numbers, and was eight characters long. However, I haven’t changed the password for a few years. I’m bad with changing password unless prompted to do so. Guess I really need to change this mindset going forward. It appears that the hacker bought a combo of apps and videos (Project Runway, Season 8).

One lesson I learned in all this was to remove my checking account as the payment source in PayPal and switch it to a credit card.

I ended up filing a PayPal dispute for each of the seven transactions. Five of them have been reversed as of now. I received an automated response for each one that was reversed just stating what their decision was. Two are still under review by PayPal.

There were no signs of ‘Kingdom Conquest” in the iTunes Purchase History as was noted in the blog post by Adrian Kingsley-Hughes on ZDNET on May 12, 2012.

All of the fraudulent charges on my iTunes/PayPal account were apparently gifts for “ffffffffff.” (that’s 10 f’s -- presumably to prevent you from counting).

Moving forward, Apple should provide more information to the victims of such attacks. Saying simply “we have reversed the purchase” isn't enough. I'd like to know how much information was accessed, for example, is my bank info now potentially in the hands of a hacker? Or was the breach limited to iTunes accounts w/ linked Paypal accounts? Also, it would be helpful to know how this breach occurred. Also, what is being done to address it since this clearly isn’t an isolated case.

I asked these questions to Apple when I reported the problem though I assume I’ll get a vague response similar to how PayPal responded.

Update: R. Emory Lundberg adds some interesting color in a comment on Facebook:

In most instances I've seen this occur it is because either:

  • The account is brute forced or the same email address/password pair is used elsewhere and they've been compromised,
  • The user has had their iPhone or iPad/iPod on an open wireless network and someone snarfs their session and/or credentials

That second one is interesting because many people just configure MobileMe/.Mac/iCloud accounts as IMAP and don't force it to use SSL or TLS and are doing plain-text SMTP or IMAP and leaking their account information that way.

Also, any email account associated with an iTunes account can be used like this, many people have several. The AppleID site can show you what addresses are valid for your AppleID. In my case I have $username@me.com, $username@mac.com, and then a $family@otherdomain.com and my personal email accounts for FaceTime et al.

Editorial standards