Forgot your password?
typodupeerror
Security Apple Games

Has iTunes Been Hacked? 191

Posted by Soulskill
from the missony-loves-company dept.
An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."
This discussion has been archived. No new comments can be posted.

Has iTunes Been Hacked?

Comments Filter:
  • I recall Stringer saying a lot of stupid crap but when criticized for the delay in his notification of a breach [escapistmagazine.com] he said something quite memorable to me:

    "This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."

    At first I thought this was just to spread generalized fear, take a cheap swipe at their competition or even shift attention to something else, but it appears we'll get to see how pervasive this becomes. Perhaps he wasn't completely full of lies ...

  • by blueworm (425290) on Monday June 06, 2011 @10:57PM (#36358856) Homepage

    No mention of keylogging trojans or phishing combined with ridiculous uneducated guessing makes these authors' ramblings pure trash. Apparently all the links are from Betanews, too; I'd like to see Betanews stick to talking about iThings and not security. Choice quotes interspersed with my reactions:

    "Apple's iTunes user logs themselves may have been compromised."

    All I can think of on this one is the time I had someone tell me that my router had "lost its ARP table".

    "... several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data."

    I'd hope these same IT employees someday understand the risks of improperly secured personal data by not browsing the web on their own PCs (no Windows implied).

  • by Sprouticus (1503545) on Monday June 06, 2011 @11:00PM (#36358870)

    Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn. But it was still a hack. And it went unreported. It was detemrined that there was no value in reporting the hack since it would affect stock value.

    I am betting that the VAST majority of hack never get reported for this exact reason.

  • by wvmarle (1070040) on Monday June 06, 2011 @11:10PM (#36358928)
    So you closed the vulnerability and kept the stash?
  • by wvmarle (1070040) on Monday June 06, 2011 @11:16PM (#36358988)

    This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.

    Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.

    Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.

  • by raabetj (1271140) on Monday June 06, 2011 @11:24PM (#36359042)

    I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.

    Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).

    I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.

    I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.

    I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...

  • by EastCoastSurfer (310758) on Monday June 06, 2011 @11:24PM (#36359044)

    Yep. My bank recently called and canceled my CC. The trigger? The number was attempted to be used for a small ITMS purchase. The fraud department at the bank said that buying a 99c song at ITMS is quick way to verify if they have the right info or not. In my case they used the incorrect pin digits from the back of the card and the bank denied the charge, but it must work some of the time.

  • Data corruption? (Score:5, Interesting)

    by Hachima (718971) on Monday June 06, 2011 @11:35PM (#36359094)
    This may be unrelated, but yesterday I noticed that my iTunes account had became corrupted with someone else's data. My first name, last name, address and registered CC number became someone else's info. Had I not noticed, I would have been making charges against this other persons account. Maybe someone wrote one messed up database query and screwed up a massive amount of people's payment association. Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
  • by Ixokai (443555) on Tuesday June 07, 2011 @12:03AM (#36359216)

    Seriously, "mistakenly", "trained"?

    Sorry, no.

    Sure, the companies deserve ire and disdain if they don't take care of our information securely. They even deserve some real civil liability -- a lot more then they're getting now.

    But asshat little fuckheads who go around breaking into said company deserve ire, irregardless of any other ire given.

    Cracking into networks and systems and grabbing data, damaging systems, anything of the sort-- even if they aren't properly secured-- is not noble.

    It its worthy of ire, scorn, and jail time.

    Now, its not worth as much jail time as is being handed out often these days, nor silly, inflammatory words like "terrorism" being thrown around to make it all worse -- and adolescents who are frankly incapable of understanding that being an idiot even though its a rush or fun is dangerous and has real consequences, should be treated like the kids they are, not adults.

    But, no. Its not a mistake to give them all kinds of ire.

    I pretty much hate Sony, for instance. But what the cracker-jackass groups are doing is pretty sociopathic.

    There's no Greater Good involved, thats self-delusion at best. There could have been a way to go about it that may have been ethical, in a vigilante, internet-patriot sort of way. But these data dumps of real, personal information (including usernames and password hashes) is not at all it.

  • by pandrijeczko (588093) on Tuesday June 07, 2011 @04:24AM (#36360258)

    Also about half a dozen years ago, a CEO in a software company was suffering one way transmission on VoIP calls and as the manufacturer of the VoIP hardware and software, we'd had technicians trying to fix the problem for months - countless hardware was changed, IP stations, etc. etc. because the customer was screaming at my company daily and it had been escalated to the highest levels.

    As a security & network guy, I got dragged in at the later stages, myself and another consultant went through some packet sniff captures when the problem was happening and we eventually worked out that someone from within the software company was trying to do a man-in-the-middle attack to snoop on the CEO's calls, he/she clearly hadn't got it working right and was interrupting one of the transmission paths, hence the problem.

    We emailed the analysis to the customer and showed it was someone in their company causing the problem. From that point on, it went completely quiet - no daily secreaming from the customer, not even an acknowledgement of our emailed analysis.

    I don't know if higher up in my company we billed the customer for all the work we did or if anything was said afterwards but this was definitely hushed very quickly within that software company.

Whoever dies with the most toys wins.

Working...