Report: iTunes targeted in mystery hack

At Macworld, Lex Friedman looks at recent reports of hacked iTunes accounts, where hundreds of users say gift card credit was wiped out by purchases made without their permission. Apple is issuing refunds, but is otherwise mostly silent on the matter.

This is a mystery story, but it’s not a great one. A great mystery generally involves a detective who gathers the evidence, performs an investigation, and finally issues the spectacular reveal: the motive, the guilty party, and—if all goes well—the punishment. In the mystery of the Towson Hack, unfortunately, we’ve got a crime, evidence, and a motive, but no justice, and no real resolution. Consider yourself warned.

The Towson Hack: The mystery of vanishing iTunes credit


  1. I wonder if these are connected to that big Gawker password hack a while back. I know that after that my iTunes account bought a $50 gift card via Paypal without my knowledge (I had in fact completely forgotten that I even had a Gawker OR an iTunes account, having used both of them precisely once, and yes, I know it’s my fault for using the same username and password for both). Gift cards are famously popular with thieves because they are “untraceable” for reasons I refuse to understand.

  2. Apple told me they couldn’t tell me where, when or how my card had been used… only that it had been used.  They would not discuss a credit unless I could provide a receipt for the original purchase of the card.  They might as well have told me to never use an Apple gift card again.  Hello… Amazon?

    1. That’s the party-line response from any credit card theft as well.  Credit card companies explain that the restaurant/hotel/store is the actual victim and disseminating details of how the theft occurred only weakens consumer confidence in going back to that restaurant/hotel/store.  So in that regard, Apple is only telling people the same thing a credit card company would.

      Regardless, that particular argument that the credit card holder is merely inconvenienced whereas the store is the *real* victim really irks my chickens.

  3. This happened to me a year and a half ago, so I’m surprised they’re just fessing up to the problem now.  And Apple didn’t issue a refund, their stance being it was a stolen gift card and therefore not their problem. Never mind that it was their security breach, and therefore very much their problem.

    Also, let it be noted that the hacker took the credit from the gift card and then bought a bunch of other stuff using the credit card linked to my account. The only reason I knew it had happened was because my credit card company called me. Apple Support couldn’t have been less helpful, and the only solution was to never buy anything on iTunes ever again.

  4. I think Apple needs to re-examine their policies regarding their iTunes store and the App Store.  Both offer more problems than solutions and are not easy to use for those of us who live in a foreign country.

    I do know that Apple has a BIG problem if they can not solve this security issue and I wonder what other security issues will pop up in the future as their gear becomes more popular.

  5. Interesting, this is exactly what happened to me about half a year ago. I didn’t have a credit card on file so I’d just assumed someone had gotten my password (maybe the Gawker hack?) but couldn’t do anything more than use up my gift card balance. I think they bought the Sims for iPhone. Anyway, Apple refunded the gift card balance and I changed my password so I’d assumed that was the end of it.

  6. The headline is kinda misleading, I doubt Itunes has been hacked (not impossible, but unlikely)

    I’d guess it’s more likely that it’s just people being slack with passwords, the gawker hack etc, even without getting an Itunes password, an email account password will likely grant you access to enough that you can get into Itunes.

    1. The problem is these reports are popping up from time to time, and Apple keeps saying NOTHING… they offer little to no help to the people affected. 
      If it was just as password hack issue, Apple doesn’t have the resources to run the gawker list and tell people to change their compromised info?
      Instead you seem to have a continuous breech into the Apple system, that Apple seems to be pretending has never happened as more and more peoples accounts get hit.

    1. Where are all the proponents of the walled garden now? That walled garden just ate your credit.. there’s also no proof that Apple didn’t just sneakily delete it themselves. Customers (esp those who haven’t logged on in a while) then return to their store en masse to check they haven’t been screwed. Clever.

      Oh, and F YOU AGAIN APPLE. Now I have to login to your crapstore to make sure you didn’t steal/lose my money.

        1. He is actually spot on. It wouldn’t be hard at all to develop an algorithm that routinely checks if people have logged onto their accounts, then steals something small, then the stealFactor variable that controls the amount stolen increases a little bit more.

          And if people complain too much, the stealFactor variable scales back.
          It could be possible, after all, it’s a closed source platform.

        2. If you can’t keep up it’s not my problem.

          1) Apple enforces the walled garden, so without a jailbreak you have no option but to use their appstore.
          2) People use the appstore and load up credit under the assumption that everything is safer under that system, because apple ensured everyone so.
          3) People’s credit gets jacked and then the onus falls on them to:
          a) notice their credit has been used without their authorisation
          b) comprehensively prove to apple they didn’t download whatever content they have been charged for
          4) When people return to the appstore to check their credit hasn’t been stolen they will possibly make an impulse purchase that they wouldn’t have otherwise made if they didn’t log on to check their credit.

  7. The longer Apple ignore those affected and don’t release statements about the breaches the longer that they can market their products to those who aren’t aware of their poor practices as secure.

  8. Happened to me a little while back (maybe 4 months?).

    It’s worse than it sounds.The game in question was something to do with poker – a game I’d never downloaded – not even by accident.  The credit was being drained via in-app purchases of this game, a game that not only have I not bought or downloaded but has also never been installed on any of my devices.

    I use a unique password for iTunes and I’m not the kind of chap to fall for Phishing scams.  I am convinced that someone gained access to my account either via accessing my password directly from Apple (unlikely) or managed to download this app without knowing my password, or managed to brute-force mine and several other peoples accounts.

    So 2 things here.  A game was able to make in-app purchases on my account via a game I hadn’t purchased and had never been installed.  And a totally secure, unique password wasn’t enough to prevent it. In short, if you don’t want this to happen, never buy iTunes Credit (for some reason it wasn’t able to use my stored card details).

  9. I can’t blame Apple for refusing to give some people refunds. Think of the cost to them! Copies of MP3s don’t grow on trees, you know.

  10. This is a simple problem that has happened before where gangs people go to stores, look at the gift cards on display and note the numbers on the cards if they are in sequential order (A good store has several displays of cards and jumble them all up). If they are all in order, then they monitor them nearly daily, when one is sold, they know the number of the card and they just use it to there own account.

    Simple fraud. Monitor a dozen stores in one small town and you have a few thousand quid, monitor a all the stores in all the towns on one motorway stretch and you have a shed load of cash over a few months. This also works with gift cards for other e-retailers/B+M stores too. Nearly every supermarket and card shop has at least one display with gift cards and apple/ebay/paypal/amazon gift cards openly available.

  11. Wait…hackers broke in..and stole a bunch of crappy DRMed songs? That’s like breaking into the sewage treatment plant to steal halfway treated shit…

  12. I wonder why the billing zipcode (but not the street address) is changed. The only reason I can think of is because CC processors verify the billing zipcode against what they have for the card, which is why you sometimes have to enter it at gas pumps.

    So you break into someone’s iTunes account, change their billing zip and add a stolen card. Then you buy a bunch of crap you put on the App Store, and Apple pays your cut. You’ve just used iTunes to launder money. But that isn’t what’s happening here… On the other hand, if you had credit on iTunes, wouldn’t that get used before any card gets charged? Maybe the credit being drained is just a side effect.

  13. Also: how many people seeing unauthorized purchases are using jailbroken devices?

    This isn’t an uninformed rant against jailbreaking. Do it if you want, but remember when you jailbreak, you are giving someone else’s code (Cydia and all the apps on it…) root privileges. That code can access anything on your device, including your Apple ID and any cookies associated with it. App Store apps definitely do not have that kind of access. Everything they do goes through iOS’s APIs, which allow things like in-app purchases without revealing account details.

    Your iTunes password is never stored, and is never sent to Apple in the clear. When you log into your account at least two cookies get set on the device. One permits read-only access to your account for an indefinite period of time, allowing you to browse the store, download content, etc… The other permits purchases and changing account details for a small window (I think an hour, maybe?). That’s why you have to enter your password the first time you buy something, but then you don’t have to for a while.

    It would be trivial for a rogue app installed thru Cydia, etc… to snatch those cookies and send them somewhere, at which point they could be used on any device to purchase from your account.

  14. This exact thing happened to me several months ago.  I got an iTunes gift card for free from buying a printer at Office Max.  After I redeemed the card, a couple of days later all of the credit was gone and in it’s place were horrible games that looked like they were designed and programmed by a third grader.  Apple refunded my money but it looks like this is an on-going problem with no easy solution.

    This happened to me before the Gawker hack.

  15. Heh, so I fired up iTunes last night, and got the new new new super version….  I rarely use iTunes, most of my iThingys are other peoples cast offs that needed a little work.
    And I discovered something magical and wonderful, I have no CC number on file with iTunes.
    I’ve heard other people complaining that they had to fill one in, but my account is so very old and I only ever got songs from a promotion where you bought a pop and there was a code inside the cap.
    I think I might be safe :)

  16. Huh! Didn’t know this was widespread – it happened to me about 6mos ago. I found out when a purchase receipt showed up in my inbox for a bunch of games I had never downloaded. I contacted Apple right away, and they were very helpful. Full refund issued, no insinuations that I was trying to game them, etc.  

  17. There could have been a breach. Or there could be an internal problem. I had a series of charges against a Bank of America credit card that I had never used (activated it and then locked it in a drawer upon receipt). BofA denied any responsibility, but reversed the charges after I argued with several call-center people. They sent me a replacement card, and six months later, they sent me a new one because the new replacement’s details had been “accidentally published by a trusted third party.” I can only assume there’s some combination of data leaks and incompetence inside their organization that they refuse to acknowledge.

Comments are closed.