Apple under fire as hacked iTunes complaints swell

Users are looking for answers as phantom downloads drain accounts

Stewart Mitchell
7 Jun 2011

Apple is facing mounting criticism as a possible iTunes hack attack has seen customers' gift certificate accounts drained.

Several pages on Apple's forums highlight the security flaw, with dozens of users blaming a Sega app called Kingdom Conquest for removing funds – even if they have never downloaded the game. Various other apps have also been blamed for draining accounts using a similar technique.

It's unclear at this stage whether the action is the result of a widespread hack on iTunes or whether individual accounts have been hacked, but more consumers appear to be falling victim to the attack.

From the number of postings here, obviously, Apple has a big problem with either account security, in-app purchase fraud, or both

The hack changes users' billing addresses and uses games and in-app purchases to syphon money, with victims being advised to deactivate their computers and change passwords – and one post relating to the problem now runs to 24 pages on Apple's own site.

The problem appears to have been active since late last year, but the number of complaints has swelled dramatically since May, and some victims claim to have been attacked more than once.

"My wife and I had our iTunes gift card credits stolen this week by in-app purchases," posted Michael from Colorado. "Two purchases wiped out $22.98 in credit and the app had not been installed on any of our devices.

"From the number of postings here, obviously, Apple has a big problem with either account security, in-app purchase fraud, or both," he added.

Seeking answers

What has really infuriated users, however, is that Apple appears to know about the problem, and has in many cases refunded money to victims, but has yet to address the underlying issue or explain how the attacks are taking place.

“The latest response after I filed my report? My account has been re-enabled, all computers are de-authorised, change your password/security question... again, re-authorise your current computer,” said MomawNadon78. "Nothing regarding the actual security issue. I won't be tying any cards to iTunes nor purchasing anything from iTunes if this kind of security loophole or breach is not fixed." 

From customer feedback, Apple seems to be suggesting that the problem is limited to isolated attacks on individual accounts - as it has with similar attacks last year - but posters have questioned whether so many accounts could have been compromised at the same time without a wider vulnerability.

“This is the first time I have had any of my accounts hacked after more than 15 years in IT,” read another forum post.

“It seems unlikely to me with the timing on these posts that brute-force hacks just so happened to nail large numbers of accounts simultaneously - especially with the many people stating they have complex passwords.”

Sega responds

Apple has yet to respond to requests for information on the case, leaving users to speculate on the scale and severity of the issue, but Sega has confirmed it is investigating the reports.

“It is very likely that your iTunes account has been stolen and is being used by someone else to purchase items in this game," the company said in its forum.

"We are currently investigating this claim as well as some others, but since we have no access to any customer's iTunes account information or transaction histories we highly recommend contacting Apple directly.

“Allow me to state very clearly that Sega and Kingdom Conquest are not acting maliciously in any way. It is in no way possible for this game to charge an iTunes account without someone installing the app, logging into that iTunes account with valid credentials and then choosing to make a purchase.”

Read more about: