@TheNextWeb is reporting on a very disturbing trend happening throughout the world. iTunes accounts are currently being hacked, with victims from all over the world reporting purchases worth 100′s or 1000′s of dollars being charged to their credit and debit cards, without their permission.
The trend was first spotted by app developers searching the store last night, when someone noticed 40 out of the 50 top paid apps in the ‘Books’ category were in fact developed by the same developer.
The theory goes that the developer behind these apps is somehow hacking other people’s iTunes accounts and purchasing hundreds of copies of his own applications to increase his ranking on the store. Great news for the developer, not so much for the thousands of people who are currently explaining to their banks why there are $100′s worth of purchases and transactions on their accounts that they themselves can’t account for.
“Some users who have had their accounts hacked have left comments on the apps they have supposedly bought complaining that up to $200 has been spent on books they’d never personally bought themselves. (update: we’ve now heard reports for $600+)”
The trend is growing fast too, with many users on Twitter reporting their accounts having been hacked and taken for a ride. The Next Web reports that some victims have even tried to leave warnings in iTunes reviews about the situation, only to be swamped with hundreds of positive comments and reviews by (presumably) the developer himself.
We ask you to heed this warning, re-tweet this article if you can to spread awareness of the threat and if you have an iTunes account yourself to check it immediately and if necessary temporarily disable any payment methods you have setup, until an official statement is released by Apple.
[Update] – @MacRumors forum member explains his horror below:
“Yesterday my credit union contacted me saying there was suspicious activity on my debit card. SuI also received a receipt via email on my “Purchases” on 7/2/10. I made the mistake of storing my debit card on the itunesstore app. I have run into the exact same responses that other users are reporting–only email as a method of contact.
That response was to tell me how to change passwords, etc. – stock answers and to also tell me of no refunds. I was an internet technician for years so the iTunes advise was second nature for me but with little hope for “fixing” the issue since I believe that the breach was on the iTunes server.
Thankfully, I carry a smartphone with my email setup on it, so I received the invoice quickly. Most of the 15 purchases where for items that I don’t even own i.e. iphone (I have a blackberry) and ipod (I’m 47 and I still use a radio for my music). I was able to verify the $70.15 charge via mobile banking and immediately called my bank. The transaction was in the processing stage and I think my bank was able to refuse it–I’ll see after the holiday weekend. With my card canceled, the additional $20+ charge was unable to be authorized.
I noticed reading the comments that someone was starting a class action suit, there are enough victims to be able to makeiTunes responsible for this.
I will not take this laying down–I’ve filed a police report and filed a complaint with the Better Business Bureau and if I can afford it–I want to be included in the class action suit if it was started. I am currently trying to figure out how to get the news media notified of this scam. “
[Update 2] – A UK user by the name of Jamie Vickery has also been hacked.
“I’ve just noticed my iTunes account has been hacked in the past week. Someone has downloaded 8 apps and two songs totaling £61.70. The most expensive being an app called All Match by CharismaIST for £54.99! The other apps seem to be based on photographer like Camera One, Night Shot, Camera Flash Ultra. Surely Apple won’t pay out to these developers. I have changed my password and put in an email complaint to iTunes so we’ll see how it goes.”
[Update 3] – and another …
“My iTunes account was also hacked in the last week or so and I was billed £140. iTunes customer support was less than supportive and it took my bank getting involved, my card being cancelled and reissued and 2 changes of passwords to get is sorted. The apps that Jamie Vickery mentioned were bought using my account too. However, most of the items bought on my account were music items including ‘Third Reich Military Music Archive’! I suspect that’s a developer with a twisted sense of humour!
Hopefully there won’t be any problems between iTunes and my bank but it was very annoying at the time.”
[Update 4] – Mac Stories reader Brad Buchanan also relays his series of events below:
“He rang my dad up for $300 in a matter of hours. Six iTunes receipts came at the same time the day he did it. I noticed all the apps were the same developer.”
[Update 5] – @MacRumors user ‘crostonblue’ reports his account was taken for £542.36 on June 7th.
“I’ve just had this happen to me, how did I find out, I received 23 receipts for apps for an iPad which I don’t own.
Only way to contact iTunes is via email and they didn’t respond for 40hrs and tried to suggest that someone must have got hold of my card details, yeah right, and my iTunes login ID and password and email address so I’d get the receipts, they told me all the obvious stuff like cancel your card and tell your bank (I didn’t think of any of that!!!!), then finished their mail by saying there was nothing else they could do unless my bank requested a chargeback!!!!!
I also had only 2 machines authorised for my account but when checking I discovered 4 – why can’t you disable all machines regardless of how many there are????
Why is there no fast contact process for iTunes to report things like this???
My backs fraud department did say that this sort of thing happens all the time with iTunes and that they are the least helpful company they deal with when getting stolen funds back!!!
Some of the apps that were purchased did worry me a bit (you’d understand why if you saw them) so I contacted the police anti-terrorism squad who have given me a case number and said that it will be something they will definitely be investigating with iTunes.
Maybe iTunes needs to start listening to all these problems and instead of directing its customers to security advice documents and policies they’ll start reading and following them themselves!!!! “
[Update 6] – The reported fraudulent developer is one who goes by the name of ‘mycompany’. Check your receipts carefully.
[Update 7] – @9to5Mac is reporting Apple has removed the developer’s account and pulled all his products from the App Store. Crisis averted? Hardly.
[Update 8] – The shenanigans are far from over. Even though the initial developer which started this exploit off has now been removed from the App Store, along with all his apps, @TheNextWeb is now reporting there are more developer using the same practices. In fact, these developers have setup what are dubbed “App Farms”. Blocks of apps which are designed specifically to con you out of money. More information can be found at – http://rfly.me/br5.
Stay tuned. More on this when we have it.