April 29, 2010 | 27 Comments

Hacked! iTunes account compromised

After working on the web for almost 15 years, 12 of those working in Information Technology, and doing a considerable amount of work in computer forensics and security, you’d think I picked up a thing or two about how to protect yourself online. Nonetheless, I got hacked. Specifically, my Apple iTunes account was hacked.

Synopsis on how it went down…

  • Was trying to update an app on my iPad. After submitting my iTunes password, I kept getting incorrect password errors.
  • I went online to my iTunes account and reset the password. I was then able to log into iTunes, but my apps appeared to be associated with a different account. I figured something got corrupted with my account.
  • Contacted Apple support, and was eventually transferred to their iTunes support staff. It was explained that my username was changed (it was a derivative of my previous username) and they’d help me clear it up.
  • While on the phone, I was able to connect…but then…apps that I never purchased started downloading. RED FLAG. I explained this to the support staffer, and we looked at my purchase history.
  • Sure enough, on 2 occasions in the past week, iPhone apps were purchased on my account without my knowledge. Since my credit card info was contained in my account, anyone with access to my account could make purchases. Total charged was around $40.
  • Apple support confirmed that they were originally downloaded to an iPhone serial number NOT belonging to me. Bing…fraud.
  • Support staff suggested I change my username and password (which I did) and to contact my Credit Card bank.
  • I reported fraudulent activity on the card to my bank and had it canceled. The good news was we determined that no other fraudulent purchases took place. Thankfully, the bank has agreed to reimburse me the $40.

The last thing I did was (and which I HIGHLY recommend you do) remove my credit card info from my iTunes account. After doing some Googling on ‘itunes account hacked‘, it seems that this problem might be widespread and under-reported.

My account password was pretty strong and I do not engage in risky online behavior. Without having access to more information, it’s impossible for me to determine how the hack took place. If I had to guess, some rogue outfit has figured out a way to brute-force password crack iTunes accounts.

Using strong passwords and practicing good computer security habits isn’t enough to avoid getting hacked. Stay on top of bank and credit card activities as well and call your bank immediately if you suspect any fraudulent transactions.

Related Posts Plugin for WordPress, Blogger...

Tags: , ,

Author:Craig Berry

Craig Berry is a Catholic web developer and musician.
Connect with him online.
View all posts by Craig Berry
  • http://brianhgill.com/ Aluwir / Norski/ Brian Gill

    Thanks for sharing this: and the detail. Like you said: “Stay on top….”

    • Sara M

      I just read your story about being hacked. Be thankful it was only $40. Some jerk hacked my account which was tied to my paypal account and charged up over $500.00 on my check card. I am pretty sure I will get reimbursed from my bank. But what a nightmare. :(

  • http://www.thecompassnews.org Sam Lucero

    This alarms me. I received an e-mail from my iTunes account several days ago that said I downloaded a few free iTunes songs. Since they were free and did not use my account funds (probably a $1), I didn’t give it a second thought. Tonight I’ll go in and see if I can still access my account and change my account info. Thanks goodness I didn’t have a credit card associated with my account.

  • David Wilson

    My wifes account was just hacked as well. We only interface itunes via our phones.

    Fraudulent charges showed up so we changed our passwords, and i made sure she had a strong one, and the very next day there were more charges.

    Remove your cards ASAP!!

    I’m done with itunes.. i’ll never buy from them again. They have done nothing to improve security or prevent brute force attacks.

  • cdncatholicman

    Thanks Craig for letting us all know.

  • Robert

    My iTunes got hacked this morning! Someone gained access to my account and downloaded $300 worth of music and videos. Of course Apple was not helpful in resolving this matter and my Bank tells me they can’t do anything until the payments get made to iTunes. Only then can I dispute the purchases. Aaargh!!

  • Navi

    ya, and how do you phone itunes support? I had the same thing happen and looked all over the website with no luck.

  • Craig Berry

    Agree…not easy to find…and for something like this, you DO NOT want an automated teller.

    http://www.apple.com/support/contact/phone_contacts.html

  • Kevin

    This is definitely under reported! I have been working in the Information Security and Risk industry for 15 years now and know how to practice safe internet usage, but just a few days ago I believe my iTunes account was hacked. I received an invoice listing 4 applications purchased that were unauthorized by me. I have no idea how this would have happened, but Apple is avoiding all responsibility on this topic and have set their systems up to thwart innocent victims from reporting this and getting credit back. Luckily the amount of the fraudulent purchases on my account went against my iTunes store credit from a gift card I loaded and I caught it early enough to 1) change my iTunes password and 2) remove my Banking credit card information from iTunes. Apple has a serious security issue on their hands and they are refusing to acknowledge it. This has completely eliminated all my trust in them as a company. As soon as my iPhone contract expires in Feb. 2011 I will be ridding my household of all Apple related products. The hackers can take my last $1.35 iTunes store credit and that will be the last of the money that Apple gets from me.

  • http://$7000inITunefraud Pam

    Someone hacked my account overnight and downloaded $7000 worth of stuff. Cannot get a live person to talk to, only email. Even called Apple tech support to see if there was back door phone number and no luck with that. Meantime my credit card fraud department is now on it. How is it possible that Apple cares so little that there is no person to talk to?

  • Robert

    Found your blog doing a search on this problem. Out iTunes account started showing a whole bunch of Japanese cartoon book apps for iPhone. We had a debit card attached to out iTunes account, and now we’re out $200. Had to call the bank and cancel the card, and am waiting to see what they will do. In the mean time I called the support number listed above. The first time they sent me to the iTunes support page where I found the only way I could get through was to give the serial number of the hardware, so I called the number again, explained that I have an iTunes problem, not a hardware problem, and the lady transferred me to another department. Just as the phone call began I was disconnected. Yipee!

  • Brian

    Same thing just happened to me and my password was pretty damn secure so I agree with you that apple has a security vulnerability that they need to take care of. Mine were all japanese songs and a few iphone and ipad apps that were purchased.
    I called credit card company and disputed, cancelled the card, removed card from itunes, deauthorized ALL devices in itunes.
    Not fun!

  • Lew

    $150 charged to my account on June 10. Can’t believe I left my card info on itunes! My BAD! Could have been a lot worse. Companies get hacked. Even the best ones. But when a company that has crappy support gets hit then the problem is especially frustrating. Guess I assumed that itunes was like Apple and virus (hack) free. Dumb.

  • Meredith

    This happened to me this morning – about $90.00 charged to the debit card on my itunes account. I cancelled the card through my bank and I am now waiting to get an email back from the the Itunes billing dept. From everyone else’s experiences it doesn’t seem like I will get reimbursed from Itunes šŸ˜

  • Ricky

    Happened to me too. $200 in charges.

  • Mario
  • Steve

    My Itunes account got hack today to the tune of $300. Credit card company called me to ask about the suspicous charges. Apple told me they have ZERO phone support for Itunes and I need to email support. Apple doesn’t care one bit.

  • Joe

    yeah it happened to me yesterday. Some person bought $400 worth of music. Right now i am also waiting for my email from itunes support back. I reported avery song and still haven’t gotten any responses from apple. Right now i am frustrated and i do not believe i will get my money back. I highly recommend never to use itunes again because they really don’t care about your problems.

  • Bill

    It happened to me yesterday also, about $40 of Asian music. No email replay yet from apple. I can’t believe anyone would buy any apple product given their total insensitivity to customers.

  • Dave

    I’d like to be added to the list of people getting their iTunes accounts hacked. Fortunately AX noticed it and put a hold on my account before they got too far. Sitting here wondering how they did it. I’d also like to agree with the lousy iTunes Apple support, I can’t even get someone on the phone to do something about it.

  • A

    Just happened to me today (June 30) as well. Woke up to about $400 worth of charges. Credit card company was alerted, card cancelled. Hackers had good taste in music, though.

  • Big E

    They got me for 200.00, my bank Covered the charges. Apples customer service sucks but why would they care if we get ripped off they still get paid whether we authorized the purchase or not. It’s too bad they are not as concerned about our getting ripped off as they were when that iPhone 4 test phone was left at a store and picked up by someone else. My solution, other than not doing any business with apple which ain’t gonna happen here cause I am addicted to my iPhone. It is a “cool tool”,is when you want to buy an APP or a song from iTunes go get a iTunes card for the amount closest to the price and pay for it that way it’s not as easy as having you credit/debit info attached to your iTunes account but slot cheaper

  • kcbnme

    Got me too…$260 in charges to my credit card. Funny thing is I have no problems logging into my account…password and user ID are still the same, and none of the purchases show up in the purchase history for my account. Somebody got my card number somehow and must have attached it to a different account. There were two charges, and since one is still pending I can’t dispute yet unless I want to do the whole thing twice. So I am out $207 something and have another $50 something pending, and once that posts I can complete the dispute with my bank. Frustrating!! And no way at all to contact Apple about it.

    My bank seemed familiar with the problem…asked me right off if I had my CC stored with itunes and if I had trouble logging into my account. I must not be the only one calling them about it, and it’s only a local credit union with branches only in the city I live in.

  • Samantha

    Add me to the hacked account list. got a receipt for Itunes @ 9:27 PM Friday 7/2/10. Whoever it was purchased Item
    1 Angry Birds, v1.3.4, Seller: Clickgamer
    2 FatBooth, v1.0.1, Seller: PiVi & Co (4+)
    3 MyPhone+, v2.5, Seller: Ultimake Ltd. (4+)
    4 VietPop – Nh?c Vi?t, v1.3, Seller: Quan Le

    I mean, FatBooth is seriously ridiculous. I’m trying to lose weight, there is no way I would buy a “make yourself look fat” program. . . and VietPop is a HUGE giveaway. I’m not vietnamese and I’m not remotely interested in the music. My last Itunes purchase was about 3 weeks ago and I know exactly what that program was.

    The guy on the phone I managed to get a hold of was very nice. I told him my issue and he said he’d get it over to tech support/billing and they would get it fixed. Supposedly, they can recognize IPs that are different then your phone and computer.

    I unfortunately, don’t have the option of logging in and changing my password or removing my info. Whoever hacked my account was smart and changed my birthdate and possibly my email. I only noticed because the bill came to my email address. But the password reset won’t come to my email, so I’m screwed in that respect. Hopefully this gets resolved before I lose more then a few bucks.

  • Howar

    Add me to the list. My iTunes account was hacked for $300 last night. It is Impossibe to talk to anyone at iTunes. This has been an eye opener for me. Everyone talks about how great apple is. Not true. They don’t give a rip.

  • JBuell

    I just received two emails from PayPal saying that I sent a payment to iTunes store for $41.86 & $4.99.

    I logged onto my iTunes account & it doesn’t show any purchases from my account for the last 90 days.

  • KarenB

    I got hacked!
    About $150.00 via paypal!
    Account names and passwords have been changed. Apple, paypal and my bank informed. A stop put in on any purchases going forward. Good thing because there is anoth 15 bucks waiting to be paid!