Books I'm Reading
  • In the Garden of Beasts: Love, Terror, and an American Family in Hitler's Berlin
    In the Garden of Beasts: Love, Terror, and an American Family in Hitler's Berlin
    by Erik Larson
Podcasts I Love

« Book Club Week 1 | Main | Fleet of UFO's Spotted Over Poland »
Tuesday
Jul062010

Apple says only a small percentage of iTunes accounts were compromised 

 

Apple followed up with me late this afternoon to my question about the number of iTunes accounts that had been compromised.  Turns out, not that many.  Apple told me that an extremely small percentage of users, about  400 of the 150 million iTunes users - that is less than 0.0003% of iTunes users, were impacted.  

To the question of whether the iTunes servers themselves were ever in any danger of hackery Apple says that the iTunes servers were not compromised in any way.  

Of course, this all comes on the heels of that developer, Thuat Nguyen, who has since been removed from the App Store for violation of the developer terms.  His Vietnamese book apps were skyrocketing in the iTunes charts while people's credit cards were getting billed.  

Apple says that starting today they're implementing a new security measure to minimize this type of fraud in the future.  Basically you'll have to enter your credit card's CCV code a little more often from now on. 

 

References (21)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments (69)

How do only 400 accounts get 42 different apps in the top 50? Let's say each bought 1,000 apps. That's ~40,000 purchases spread amongst 42 apps? And that's enough to shoot 42 apps to the top 50?

Hell, even 10,000 purchases per account, 400,000 total purchases spread amongst 42 apps? That's all it takes to get top 50 with 150 million users? Amazing.

July 6, 2010 | Unregistered Commenter1234

It was the top 50 of one of the least popular categories.

July 6, 2010 | Unregistered Commenterroflcoptrofl

I have similar doubts. How can 400 accounts (or thousands) account for an app achieving the #1 spot on the App Store's front-page "Top Grossing" apps list, and not containing support information required for inclusion in the App Store?

The oddity we noticed on July 4 was an app called "A Mirror : for iPhone and iPod" released 1.0 on July 3. One day after release:
- it was at the #1 spot on the App Store's front-page "Top Grossing" apps list (which caused it to be tweeted by a few App Store reporting twitter accounts, corroborating its achievement).
- it had 12 5-star reviews out of 50 5-star ratings.

The app is still in the store today, complete with oddities that make me think it somehow bypassed the app review process:
- It has no screen shot. Instead, a misleading ad shows a bright, mirror-like reflection in an iPhone 2G.
- It has a blank (non-functional) Web site link.
- It has a bogus product support link ("com").
- Its description implies a company name "SufPay" but seller is an individual.

Arguably it is a deceptive description (The app reportedly displays a black screen. Its "mirror" functionality is only the dark reflection in the device's glass screen cover.)

July 7, 2010 | Unregistered CommenterChris

I've noticed over the past few weeks, a screen pop-up asking me for my account details. Even when not having done anything specific, like aggioning or buying an app.
And then, not only on my iPad, but also on the iTunes app on my mac.
Did not ever enter anything though, since I thought it suspicios behavior.
Anything like this happened to anyone else?

July 7, 2010 | Unregistered CommenterPeter

The top grossing list isn't even a top grossing for the day or week list. It is a periodic list (hourly?) of the fastest moving apps. my guess is if he even made 1000 purchases in an hour for a given app that would be enough to put it in the top grossing list on the front page. Most hit games don't even sell 1000 in a day let alone an hour or two.. pretty easy with only 400 hacked accounts to get your stuff to the top of the charts. Even by accounts on the forums we can presume it wasn't thousands. More than likely keyloggers. You don't think a logger installed on someone's PC for months straight is solely used to grab their WoW account and password, do you?

July 7, 2010 | Unregistered Commenteremb

My question is "How did Apple measure the number?"
If it is based on the claims from the users, there might be more latent victims.

July 7, 2010 | Unregistered CommenterToshi

My debit card was used, and thank goodness that my bank stopped it at only <only!!> $200 overdrawn. Eight purchases, two books a piece, within 5 minutes. I discovered it Saturday morning, on our way out of town for the holiday weekend. My account is still overdrawn, and I'm also receiving emails asking me to update my payment information for itunes. Not likely to happen anytime soon.

July 7, 2010 | Unregistered CommenterSara

I am one of the 400 accounts that were compromised. My credit card was charged $172.88.

When I called Apple on Monday morning, they claimed not to have heard about the problem. Strange since it was reported in the press on Sunday, if not earlier.

My ITunes account password was an extremely strong one, utilizing upper and lower case characters, special characters, and numbers. It was not a simple password.

ITunes accounts are databases that are stored on servers.

For Apple to say their servers were not compromised is a down right lie.

July 7, 2010 | Unregistered CommenterPat

The percentage compromised is an irrelevant measure and should not let Apple off the book. You are talking about 400 people who had their personal bank accounts compromised and must spend days if not weeks securing everything again, plus the emotional effect of being "burgarized."

July 7, 2010 | Unregistered CommenterFred Zimmerman

How many iTune users got their credit card info saved in their account? probably a lot less than 150 mil... The free accounts are immune from the attack, since there is no financial gain... AAPL is sidelining the issue, not good... purposely shifting the focus is just as bad as a deceitful lie.

July 7, 2010 | Unregistered CommenterWTF

I too was hit by Nguyen for about $200. If my computer has a keylogging program installed it was done so despite several layers of security (two firewalls, Adaware, etc.), that I do not leave my computer on for extended periods of time, and the fact that I run iTunes less than once a month - and never to purchase anything, just to backup my iPod, so I have almost never entered my login for the iTunes store. In fact, before this little fiasco, I think it may have been two months since I even ran iTunes, and before that perhaps another two months. Is it possible that some hacker got my info from my iPod?
As a side note, I wonder how many people are aware of Apple's account security policy:
"You are solely responsible for maintaining the confidentiality and security of your Account. You should not reveal your Account information to anyone else or use anyone else's Account. You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account."

July 7, 2010 | Unregistered Commenterpsychobobicus

I was one of the people that had about $500 of fraudulent charges against my account (most of them over a 10 minute period), and have received no help from Apple to date. I had my credit card company reverse the charges and reissue a new card to me.

I did notice however that of the 122 applications fraudulently purchased on my account that none seemed to be for the developer that was trying to drive up his numbers.

I think the reason Apple is doing such a poor job of addressing this issue is simply because they don't know the extent of the problem. The approach that it's not Apple's problem, it's the user's problem, has really turned me off to Apple.

I have been around the internet for awhile now (been using it for about the last 20 years) so I am very cautious with my personal information. I have never had an account hacked until now.

What I find interesting is that if my iTunes account was compromised because someone was able to get my password, why purchase a bunch of $2 apps? Why not purchase TV shows, Movies, Books, and so on. It seems like the breach was limited to the App Store, not my iTunes account as a whole. Apple's position on this is simply not credible. Their "not my problem" attitude is irresponsible and unethical.

Just as an additional note: Because my credit card company noticed the unusual purchase pattern, they stopped charges against my card until I contacted them (Great job on their part). Now, because the last block of fruadulent charges has not been paid for in my iTunes account, I cannot download any updates to the actual programs I did pay for in the past, because Apple is holding my iTunes account hostage until I pay for the fruadulent charges that are outstanding. Even though I have sent them the reason for this, I have received no response from Apple.

Where does this 400 user count come from? Apple hasn't even acknowledged the problem exists, at least not to me.

July 7, 2010 | Unregistered CommenterGlen

My bank put a hold on my credit card after 4 iTunes purchases at $60 a pop. My itunes account was automatically linked to my card.
When I went to my iTunes account there was no evidence of the purchases in the account history yet the transactions went through on the credit card.

When i contacted apple via email they got back to me the next day and encouraged me to unlink the credit card and change my account password. They didn't offer any explanation on what had happened.

When I followed up with my bank they told me that additional transactions were attempted even after the card was put on hold.

The bank issued me a new card and I am going to try and get reimbursed for the transactions.

I am curious to hear how deep the real story goes.

sbarcelona

July 7, 2010 | Unregistered Commentersbarcelona

I was a victim of this person to the tune of $165.66 USD. So far no resolution from Apple after calling and reporting it. The only thing they have done is shut his/her account down. No help from my credit card company as of yet. They do not consider it "fraud" because I gave the company my credit card. I have to go to billing dispute. I did remove my credit card from iTunes and have requested a new card.

It had been 2 years since I logged into my iTunes account. I logged in that day and updated my credit card. I bought some legitimate song downloads and some apps. were added to the first purchase. Within the next 3 days came more app. purchases. I was out of town so the emails for the purchases went to my junk mail or I would have caught it.

July 7, 2010 | Unregistered CommenterSam

You expect us to believe that rubbish?

July 7, 2010 | Unregistered CommenterBen

@Glen. Your point about the App Store is very interesting. I agree that it is very strange that nothing but apps are being purchased. I do believe this is a widespread developer scam, not just run-of-the-mill ID theft.

July 8, 2010 | Unregistered Commenterpsychobobicus

One is already too much...

July 8, 2010 | Unregistered CommenterBlaze

I say BS to there only being 400 accounts hit. That is a guess at best. Damage control is about info control. Look at the BP Oil info over the past months :)

I didn't get hit, but i now cleared all personal info out of iTunes. If apple can't encrypt and protect their client info, then screw them. I suggest that anyone reading these posts, immediately go remove your credit/bank info. It's actually not a good idea to save your credit info on someone's server anyways.

July 8, 2010 | Unregistered CommenterTheCoose

Add me to the list of people who got scammed. This only just happened today so apparently the problem is ongoing. As an earlier poster commented Apple was of no help and refused to refund my money stating that "Under the circumstances the iTunes Store cannot reverse the charges for those purchases without chargeback orders from your card issuer."

As it is Sunday and my bank is closed I can only hope that tomorrow they are more co-operative than Apple.

- Ray

July 11, 2010 | Unregistered CommenterRaymond John Schlogel

These jerseys men football jerseys which are interestingly termed retro basketball jerseys sports jerseys store are old school. Here is an example,football jerseys for youth men football jerseys, Brazil Team World Cup Soccer Jersey Kobe’s jersey at the present time, but the Lakers look 20 years ago. That would be an example of the throwback kind. Sports stars put them on now and again during games also.

July 16, 2010 | Unregistered Commenternfljerseyonline

Most of these jerseys NBA basketball jerseys state they’re replicas,Designer Handbags sports jerseys store, yet in fact aren’t. They are the cheapest ones cheap nike shoxmen basketball jerseysout there. They’ve screen imprinted lettering, Women's Handbags additionally are made of the least expensive fabrics availableNike Nike Air Max Shoes.

July 16, 2010 | Unregistered Commenternfljerseyonline

These jerseys men football jerseys which are interestingly termed retro basketball jerseys sports jerseys store are old school. Here is an example,football jerseys for youth men football jerseys, Brazil Team World Cup Soccer Jersey Kobe’s jersey at the present time, but the Lakers look 20 years ago. That would be an example of the throwback kind. Sports stars put them on now and again during games also.

July 16, 2010 | Unregistered Commenternfljerseyonline

Most of these jerseys NBA basketball jerseys state they’re replicas,Designer Handbags sports jerseys store, yet in fact aren’t. They are the cheapest ones cheap nike shoxmen basketball jerseysout there. They’ve screen imprinted lettering, Women's Handbags additionally are made of the least expensive fabrics availableNike Nike Air Max Shoes.

July 16, 2010 | Unregistered Commenternfljerseyonline
July 23, 2010 | Unregistered Commenterchao

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>