My iTunes account was hacked on Friday, I didn’t find out until Sunday night though because that was when I tried to log in to my account after it had happened.
Watch out for these signs (Apple support didn’t even consider that I had been hacked when I contacted them):
The hackers changed my account ID and my e-mail address to something similar to what they had been before but different. This allowed them to charge two $50 iTunes gift certificates to my card without me being notified (because they had changed the e-mail address on the account).
When I tried to log into my account on iTunes, I got weird errors about my account id or password being incorrect. When I tried to recover my password on Apple.com, I got an error saying that my account ID was not in the system. When I tried to get my account ID, they couldn’t find it (since the hackers changed my e-mail address). Of course, I could not log into the support site to try to report the issue since it requires my Apple ID. Luckily I found the iTunes store form that let me contact support via the web without logging in and they were able to tell me that I had changed my account ID and e-mail address. I was able to log into the new ID that the hackers made with my old password, which was really lucky since Apple support was clueless about what had happened.
Why didn’t Apple notify my previous e-mail address when the change was made? That is a basic security process that many other sites use. There is a pretty clear pattern of fraud here as well, account information is changed and then large purchases are immediately made. Shouldn’t Apple be looking for this kind of thing?
I have contacted support to find out if they have a process for dealing with fraud, but I can’t help but feel that Apple’s security is somewhat to blame here. I’ll let you know what Apple suggests I do.
I also posted the above on the Apple support site here. Please spread the word so that others aren’t ripped off.
On a side note, I can’t help but wonder how my account got hacked. I’m pretty wary of phishing scams, and that kind of thing. I’m always extremely careful with this kind of stuff. The only thing that occurs to me is that the same day my iTunes account got hacked, I created an account on artaculous.com. I used the same e-mail address (of course) and in this case I was lazy and used the same password as my iTunes account. I generally try to avoid using the same password twice, but it does get hard to remember them all without reusing them sometimes. I have since gone and changed every password on every site that I have accounts on, just in case. I’m not saying that artaculous.com is some phishing scam, but the coincidence is rather odd…
I’ll update this post as I get more info from Apple. Please add a comment if you have heard about this scam or have more information or suggestions.
[Update: 6/29/09, 11:26pm]
Of course, I changed all my passwords on every site I could find an account on today. My e-mail is full of account update notices from a zillion large and tiny companies… Except Apple. I changed my Apple ID (Twice!), my password (Twice!), my security question, my mailing address. Exactly zero messages from Apple letting me know in case it wasn’t me. This really is pretty weak security on Apple’s part.
[Update: 6/30/09 9:09am]
One of the iTunes gifts certificates had been sent to a gmail address. I tried to find a way on the gmail site to let them know that an account was being used or involved in a crime, but couldn’t find a way to do it. Seems weird because I don’t think you need the certificates mailed to you to use them, just the code. The second certificate had not been mailed or had the e-mail addy cleared. Can’t Apple track the IP address of whomever uses the gift certificates to track back to the people who hacked my account? Will they bother? Still waiting to hear back from Apple on letting them know that my account was hacked. Would call their number or try to see a genius, but I’m in jury duty right now.
[Update: 6/30/09 2:04pm]
Apple has responded (excerpt):
I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.
I know it can be discouraging when fraudulent charges are made on any type account whether it’s your bank or iTunes.
I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. Your bank or credit card company’s fraud department should then contact the iTunes
Store to resolve this issue. The iTunes Store cannot reverse the charges.
Basically, they are pushing this back onto me to deal with my credit card company on. Not overjoyed with this, but fair enough, most people thought that was what they would do. I am a bit concerned that they believe that my credit card could also have been compromised because of this. I thought that my credit card info wasn’t exposed. If credit card info is exposed through iTunes and their security is so lax, I’m going to be wary of giving them any info in the future. I’m also concerned that they aren’t saying that they will do anything to pursue the person who did this. I would like to feel that Apple actually cares about this instead of just blowing it off.
[Update 6/30/09 10:36pm]
Found these links with more info about iTunes account hacks:
- Article from The Register on Apple accounts being hacked
- Article from dropsafe – great suggestions in the comments
- Really important article from dropsafe, see the part at the end – Even changing your Apple ID doesn’t protect you because Apple has made it easy to get that info again, so once you are hacked it is easy to hack you again unless you change everything (and it still isn’t really very secure).
- Apple’s security is so bad, there was a class action lawsuit about it
[Update 7/2/2009 9:43am]
Apple (correctly) disabled my iTunes account when I reported that it was hacked. They didn’t actually tell me this though, so I didn’t find out until I tried to use it to update my iPhone apps. What did they need to re-enable it? My billing address. Where was my billing address info stored? In my iTunes account. Since that was pretty unlikely to change after a hack, it seems a pretty weak way to verify my identity. I pointed that out in my return mail, but so far iTunes support has ignored all my questions and comments in my messages to them. I guess that is policy, but also a bit lame. I also may have figured out why the hackers didn’t change my iTunes password. I did find a message from Apple in my spam folder notifying me that my password had changed (from when I changed it after getting my account back).
There was enough info in my account that I’ve had to cancel my credit card, and I’m going to need to be extra vigilant for identity theft moving forward. Since then, I’ve changed my payment method to none in the iTunes store. I may have to enter credit card info each time, but that now seems like a minor inconvenience. I have also changed all my other info to be completely bogus so that if someone does hack it again, they won’t have any useful info on me. Why does Apple need by birthday (not birth date for age verification, but birthday)? I’m going to do the same with my other accounts and would suggest it to anyone else concerned about this kind of stuff.
[Update 7/6/2010]
A year later, tons of reports of other accounts being hacked, including several on this blog. Thanks for adding your voices. Meanwhile, Apple has changed NOTHING on their iTunes security processes. They continue to push the blame and responsibility on their customers and the credit card companies. Now, there are reports that iTunes store and account hacking is not only more widespread than has been thought, but also very well organized. When will Apple take some responsibility?
Seriously, set your payment method to None now if you want to avoid having to deal with this pain. It sucks to have to enter in the data every time you make an iTunes purchase, but it sucks a lot less that having to get a new credit card because someone hacked your iTunes account. Trust me on this one.
[Update 12/26/2010]
I was buying some apps on iTunes today. I still keep my payment info set to none and my address set to my non-billing address as a rule and change them when I want to actually buy anything. It is still a massive PITA, but probably helps me avoid dumb impulse purchases 🙂
I noticed something different today, when I changed my payment and address info, I immediately got a message from Apple about the change, and then another one when I changed it back. This is new, and this is good. A trivial change from Apple, and certainly long overdue, but a very positive step.
[Update 3/22/2013]
Apple has now enabled two-factor authentication on Apple accounts. If you are worried about your account being hacked, it would be a good idea to take advantage of this. Here are instructions from lifehacker on how to turn it on.
The exact scenario you are describing just happened to me. Only I just discovered it yesterday! I am so frustrated.
My apple id was changed to something similar to my address, but with a gmail.com. They also charged a $50 gift certificate on 6/29/09.
I have been in contact with apple, after describing all of the events, at first she actually told me to log on to the iForgot website and change my password. I said “are you kidding me?” the email address that was changed on my account is not mine! I have no access to that email. I will just be sending this person my new password!”
On a side note, the fraud department for my AmEx card called me last Thursday and said someone in the Netherlands tried to charge $199 item to my account. They denied the charge and are sending me a new card. I think this is tied to whatever happened to my iTunes account.
I totally empathise –
I too have had issues with fraud on my credit card on the iTunes App store.
From the day after I registered my credit card on the app store (3 Aug ) till 12 Aug there were 14 fraudulent transactions on my card.
What makes my case slightly different is that I had no fraudulent activity on my actual iTunes account but rather various declined authorisation fees from lastminute. Some successful transactions for EasyJet and some online telephony service safebillinc.com (ironic I know). I live in South Africa – these were all UK based transactions. Then there were 3 transactions from Telkom ADSL – our local telephone service company.
How that happened is beyond me.
I had to laugh when I read Apple’s response to your problem.
After looking online for about an hour to find a PHONE number to speak to a PERSON – after holding for 10 mins – I got redirected to the website to send an email.
The response I got was:
“I understand you are concerned about iTunes Store purchases that were made with your credit card on someone else’s account. I can certainly see how disappointing this would be and I’d be happy to provide any information I can to help.
I’m glad to hear that you have cancelled your credit card and disputed the unauthorized transactions. A member of your credit card company’s fraud department will contact the iTunes Store directly to resolve this issue. I am sorry, but I cannot reverse those charges for you.
If you suspect you are the victim of identity theft, consider following these recommendations:
– Contact the fraud departments of any consumer reporting company to place a fraud alert on your credit report.
– Close the accounts that you believe have been used without your knowledge.
I sincerely hope that you are able to resolve this matter with the help of your credit card company. I will definitely take the appropriate steps on my end to be sure that this issue is made aware of.”
Sound familiar or what?
I have also changed my itunes account to reflect no card – only free apps for me for now.
I have cancelled the card – moaned to my bank but I guess other than waiting for all the charges to be reversed (once the letters of dispute have been assessed) it’s out of my hands now.
I think Apple really need to wake up and take these security issues seriously.
Hi,
a bit late, but I just wanted you to know that there’s definitely NO possibility of you account being cracked up by using passwords you used on artaculous.com – all Passwords are stored as encrypted hashes and so even the artaculous team doesn’t know them!
So hope you further enjoy our platform and note that we’ve NEVER been engaged in any type of phishing or anything else. Just a portal from artists for artists, that’s it.
regards
Patrick
Ok this just happened to me 2 weeks ago the same exact thing. American Express called me and asked if I had made purchases from Itunes in the amount of 41.59 three different times. When I said no they (American Exp) stop authorization on the card and canceled it for me. Itunes did not notify me I had to notify them by means other than my Itunes account since I was locked out of it due to my password being changed. Most of my charges were game apps @ 9.99 per app, several country Christmas songs, then alot of ganster rap. I am still haggling with Itunes about an outstanding balance of 39.58 they want me to pay before I can download any thing else. Their response is that the items were downloaded to an authorized computer,I say it had to have been an alien teenager due to the content of the purchases and that no one has used my authorized computer. I actually have to go ahead and make the purchase before they will remove the balance. My question to them is where will the content of the download actually go? Boy what a mess!!!
Again, a little late to the game but it happened to me too. I suspect their outsourcing company (which I know they use after spending countless hours on the phone today trying to get my “authorizations” reset) has employees who know of this exploit and are using it. Honestly, it’s an easy fix for someone who has access to that information – pick people who have different email addresses (which mine was) which are likely to still be available through free services such as gmail or others (in my case it was justone.com), change the extension on it in the apple record, register the “new” email and go forth with your purchases. Sad because I was a huge, huge Apple advocate.
Yep, just happened to me. This has been helpful knowing I’m not the only one. However, it’s also frustrating knowing that Apple won’t do anything. I’ve been a big fan of them, but this really pisses me off. I have over $500 charges to my itunes account. I’m really hoping the bank will be able to do something since it clearly sounds like itunes won’t.
I do have a question…I can’t even get in to see what they changed my email to. I’m not even a registered user anymore because they must’ve changed my name as well.
You should be able to contact Apple support via phone on this or go into a mac store and bug the genius bar workers. They should be able to look up your old contact name. That really sucks though. It seems like there is a concerted effort here to hack iTunes accounts. If Apple keeps refusing to acknowledge it or take any responsibility to improve things, it might be time to start trying to get some press attention on it.
Sounds like a lot of us have become victims but Apple chooses to do nothing to help. Does anyone think that a class action lawsuit would help with this matter?
WOW. Went to pay my Visa today and saw that there was over $600 in charges from itunes that were not mine.. I hardly use itunes. Anyway, called visa, cancelled card and chatted online with Guy P from Apple. Itunes account is on hold, new visa card is in the mail. Can’t believe this happens?? Seriously everyone, it’s Apple, Can’t they fix this problem?
Happened to me also. After calling tech support for the iphone and doing a web chat both recommended I send an email.
Apple, thanks for the support. I guess I am glad I found it with only $1.29 charged so far.
Shcoked at the lack of help when the guy on the phone is acknowledging there is a fraud issue here.
This just happened to me over the last 2 days. EXACTLY like it happened to you, except my damages were several hundred dollars, to the point where my checking account is now overdrawn by $400. I can’t believe Apple won’t address this issue!
Me too. I went to use my debit card on Saturday and it was declined. I was a bit confused but being a Single Parent with a Disabled child my bank balance is never exactly healthy. So assumed it was direct debits going out early or something. Checked my account online today and noticed 5 itune debits had emptied my account. The bank won’t help but have cancelled my card. The itunes account has loads of downloaded items that I would never use and my address has been changed to China. Gutted…
I had the same thing happen in May 2010 almost the same as everyone else. Bank of America replaced the $480 that had been taken out of my account but if Apple won’t back out the charges they will take the monies back. At this point I haven’t heard what is going on but hope to soon. I too am disappointed with Apples lack of support.
Just to let everyone know; this is still going on. It happened to me two days ago. I notified Apple and they disabled my account but did nothing else. They told me to contact my financial institution and cancel my credit cards. I found that strange since the card number did not show up on the account. Does this mean that Apple somehow gave them the entire card number and other information? Since it looks like this has been going on for about two years, Apple appears to have a serious security problem that they have yet to resolve. This needs to get out to the mainstream media. I can’t believe how unbelievably bad their customer service is.