Apple confirms 400 iTunes accounts hacked

By on July 7, 2010, 10:29 AM
Apple has confirmed that around 400 iTunes users had their accounts compromised over the weekend in an elaborate scheme to manipulate the App Store rankings. The company said in an emailed statement that Thaut Nguyen and his apps have been "removed from the App Store for violating the developer Program License Agreement." The Vietnamese developer allegedly used other people's accounts to purchase his own apps, at one point occupying 42 of the top 50 book apps sold.

According to the folks at Cupertino, App Store servers were not compromised in any way, so it's likely that affected users were victims of phishing, guessed passwords and other sorts of social engineering techniques. The company said that less than 0.0003% of iTunes users were impacted and assured that Nguyen, like any other developer, didn't receive any confidential customer data when apps were downloaded. Nevertheless, Apple advised users who suspect that fraudulent purchases might have occurred with their accounts to contact their bank, cancel the credit card in question and change their iTunes password immediately.

In response to the incident Apple is reportedly tightening security on App Store purchases -- basically, you'll be prompted to enter your credit card's security CCV number a little more often. This is certainly not the first time that users have had their iTunes accounts compromised as a result of phishing scams, but it's one of the first reported cases were an app bought using other people's accounts has dominated the charts. The incident has put fraudulent activity on iTunes into the spotlight, with reports emerging about alleged "App Farms" being used to scam users out of their money.




User Comments: 14

Got something to say? Post a comment
paynetrain007 said:

Apple would put all the blame on the user... If it was all just phishing we would be seeing this large scale in almost every online market, but we don't.

Burty117 Burty117, TechSpot Chancellor, said:

Actually its quite small considering there is over 150,000,000 accounts and only 400 got hacked, so actually I kind of believe apple in this respect.

I know Apple are masters of deception but I really doubt they want or are encouraging accounts to be hacked etc especially as they don't like to be known as "hackable"

Really for Apple, this is a big step for Apple in accepting they are sometimes wrong and can be aimed for attack just like everyone else.

Vrmithrax Vrmithrax, TechSpot Paladin, said:

400 is a relatively small number when compared to the total number of accounts, but it's not a small number. The thing is, hackers like this guy are smart - if they are smart enough to get the info they need on accounts, they are smart enough to keep things on a small scale and try to stay under the radar. You start making massive moves on a grand scale, and you get very VERY large dogs hunting you down, and the penalties for being caught multiply exponentially.

The problem is, this guy was smart enough to keep the number of accounts to hack small, but not smart enough to judge how his app purchases would rocket up the app store charts and raise a red flag. He either got too greedy, or massively over-estimated the sales of other competing products, which left him standing out like sore thumb.

It's a mistake to just shrug it off and say "it was a small number" here, because odds are good that it could have been a MUCH larger number of hacked accounts if the intent and will to risk the consequences had been strong enough. But, of course, you'll never hear that from the likes of Apple, they will just fluff unicorn farts and rainbows out at the public, while keeping secret just how severe any holes in their security are. Not saying that Apple is unique in this, nobody would want to hang their laundry in public view if it's full of stains and holes.

TomSEA TomSEA, TechSpot Chancellor, said:

LOL...you do have a way with words, Vrmithrax.

kyosuke said:

... So do the users get their money back?

So it is the users fault for itunes getting hacked, let alone Apple didn't find it weird that 400 users were buying the same App with the same IP address?

Guest said:

umm

thats an oxymoron:

Apple Security

sounds like the old1:

Internet Security :D

SNGX1275 SNGX1275, TS Forces Special, said:

Apple didn't get hacked Guest, people's passwords either got guessed or obtained through social engineering.

Guest said:

Oh yeah you can get your money back only after itunes tells you to call your bank and your bank tells you to call itunes.....then your bank will tell you that you have to have a police report of how much and all that......now it's going on a week and just finally got the police report and now the bank will file fraud charges and get it back hopefully.......DO NOT STORE YOUR CREDIT CARD IN ITUNES and change your password like at least once a month.....I don't know if it will help but I cancelled the card they charged that I didn't even have stored on itunes so I'm thinking maybe I'll be safe?????

Guest said:

My account was one of the "400" that was hacked, and it was done via password guessing (even though my password was significantly more complex than the password that Apple gave me when they restored my account - "apple0710")

My credit card company canceled my account and reversed all the charges, but Apple refuses to restore my iTunes balance that I had from some gift cards that I had gotten.

I find it amazing that their security is so weak that someone can guess the password on so many accounts all at the same time, and then when it happens they just refuse to do anything about it.

I will never buy another Apple product.

jobeard jobeard, TS Ambassador, said:

I find it amazing that their security is so weak that someone can guess the password on so many accounts all at the same time,

It's called a dictionary attack; given an account login, the cracker just starts throwing words into the password until success.

Everyone recommends we should never use

  1. personal data
    • names
    • addresses
    • birthdays
    • age
    • or any combination thereof
  2. words in the dictionary

but rather we need to use a combination like

  • UPPER case & lower case letters
  • two or more numbers
  • at least one special character in the set {@#$%&*_-=+}
  • and a total length of eight or more
Guest said:

400 Accounts? I think they need to recount. My account along with many others were attacked today and it looks like the attacks have never really stopped.

SNGX1275 SNGX1275, TS Forces Special, said:

Perhaps you should use a decent password.

captaincranky captaincranky, TechSpot Addict, said:

If your iTunes account gets hacked and your songs get stolen, who will the RIAA sue for copyright infringement, you, you and the hacker, or just the hacker? Perspiring minds want to know...

Bonus question;"If an airplane crashes on a state line, in what state do you bury the survivors".

red1776 red1776, Omnipotent Ruler of the Universe, said:

" I'll take airline crashes for 100 Bob"

Bonus question;"If an airplane crashes on a state line, in what state do you bury the survivors".

well you would take them back to their home towns of course and.......Oh!....you fooler!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.