back to article Apple account hijacks spread to developers

Account hijackers have targeted Apple iTunes for months, but now they're hitting Apple developers as well. Reg reader Andrew McAuley discovered that his iTunes account was hijacked after 150 unauthorised transactions, each valued at $42, appeared on his debit card bill. McAuley, a Brit who lives in the US, noticed the attack …


This topic is closed for new posts.
  1. Simon

    PA announcement

    "Webster Phreaky, will Mr Webster Phreaky please report for comment duty on this article, thank you."

  2. Kenny Millar

    They deserve it

    If you use an easy to guess password to protect an important account like that then you deserve to get it stolen from you.

    Wise up people and use decent passwords.

  3. Wize

    Not very secure

    "Karppinen said that Apple emailed a reset password to a Yahoo email address not under his control after someone sent a one-line email full of grammatical errors to support staffers via a web support form."

    So anyone can contact them, give someone elses account number, claim they lost access to their old email account and have everything changed over to their new fake one.

    Someone back at apple needs a good kick up the arse.

  4. Anonymous Coward

    Not an answer

    One of the nifty things that I discovered in Ireland is the 3V card. Acts like a disposable visa card, every time you buy credit you are given a new visa number. It does make one more secure when buying from unknown or untrustworthy sites.

    Although its not an answer. Apple should be more secure.

  5. Goat Jam
    Paris Hilton


    What are they buying from itunes? DRM'd songs and TV episodes? Don't these idiots know that they can get the same stuff off bittorrent without resorting to credit card fraud?

    Or am I missing something?

  6. Tom Turck

    tip of the iceberg

    this is the tip of the iceberg...all the combined apple os and safari vunerabilities...

  7. Anonymous Coward
    Thumb Down


    yea cos when i think of online security the first thing that enters my head is apple

    what does this say about a) the level of security awareness of apple staff; and b) the level of security awareness of apple users...

    and what ever happened to email/https based confirmation when changing account details?

    i will never use any of this retarded consumer [cr]apple tatt (does this make me a hateboi..?)

  8. Anonymous Coward


    This is one reason (apart from the ridiculous subscription fee) that I declined to open a .mac account with all its useful stuff like online storage, web gallery and remote desktop.

    Even as a Mac owner I don't trust the buggers with security.

  9. Christian Vest Hansen
    Paris Hilton

    Well, at least...

    ... they didn't send the old password to the crook, but instead generated a new random password and sent that.

    So even though it is bad amateurish practice to gleefully surrender peoples accounts to strangers like that, we know that at least a) the crook cannot get the original password which might be used elsewhere (like net banks) and b) you know something fishy is up when the password unexpectedly changes.

    Paris, because she knows the importance of controlling who has access to what.

  10. Andrew McAuley

    Wise up?

    Oh, I'm sorry I guess a > 10 char length mixed alpha numeric password is a little easy to crack ;)

  11. Tim J


    From the article:

    "McAuley didn't suffer financially because his debit card was protected by a $0 liability guarantee. He doesn't store any card details on his UK account, which isn't covered by an equivalent indemnity. In the UK, credit card holders are only liable to the first £50 of any purchase."

    It's a slightly confused paragraph which doesn't make it exactly clear what the situation is here - does Mr McAuley have two iTunes accounts (a US and a UK one), and the fraud was committed against his US account??

    Regardless, UK credit card holders aren't liable for any fraudulent transactions that are committed on their credit card account.

  12. James Butler

    @Mr. Vest Hansen

    "Paris, because she knows the importance of controlling who has access to what."

    Erm ... she, famously, lost the contents of her Blackberry account to the Internet, a couple of years back, illustrating that online storage of ANY sensitive information, including your address book and emails in your Blackberry account, is a not-ready-for-prime-time deal.

    If it's not ONLY stored locally, there is an excellent chance your info will be compromised by those who are seeking info stored at any common location ... that includes .Mac, Blackberry, AOL and any shopping site where you told them to save your information because you absolutely MUST buy things so quickly that you can't be bothered to re-enter your information with each purchase. I know ... it's terribly inconvenient and slow to type in that credit card info, but it's one of the few things you can do to avoid situations like this.

  13. Andrew McAuley


    I have a UK and a US account. The fraud was against my US account. The US account had my Visa Debit card details stored against it. The REALLY weird thing was the hacker gifted the same music track 4,500 times to lots of different gmail accounts. Perhaps a hacker fan of this particular band trying to score a chart placing?

  14. heystoopid


    Or as a PC would say to a Mac "Nice day for Phishing is it ? "

  15. Eric

    Apple security at its finest

    Its like they haven't learned a thing from watching Microsoft's security blunders.

  16. Paul Sylvester

    Apple installs software without permission

    Yep that's right. If you really want to know how they are doing this, then they have the software to do it without having to go to apples website!! Apple installs the mobile me software to all windows platforms!! Check my article out for more information!!

  17. Jeff Dickey

    @Goat Jam

    iTunes is how *everything* from Apple gets distributed; apps, webcasts, etc. In theory, that's because every Mac has iTunes and it's easy to use the system to push out updates and such (that remain separate from the 'Software Update' under the Apple menu).

    Several developers have had various gripes about the mechanism, but AFAIK it's always been seen as satisfactory - assuming Apple maintain control and adequate security. Seems that those assumptions may need a refresh.

  18. Mark Neuwirth

    It's time to try escallating the complaints

    Even though the compromised accounts seems to represent relatively small amounts, perhaps it is time to try to get some assistance obtaining Apple's attention?

    The FBI has an Internet Crime Reporting site at Since we all seem to have been victims of the same crime, if enough people report their issue it might become sufficiently significant for the FBI to do something other than watch old X Files reruns, and for Apple to take some affirmative action to correct this.

    It may do something, or it may do nothing, but everything tried so far seems to be totally ineffective in obtaining Apple's cooperation or notice. Maybe we could at least get them to formally acknowledge that there is a problem.

  19. Mark Neuwirth

    It's not that simple.

    "If you use an easy to guess password to protect an important account like that then you deserve to get it stolen from you.

    Wise up people and use decent passwords."

    This is an exceptionally simplistic and inappropriate comment (troll?).

    I use 12 character, randomly generated hex passwords and they still get compromised the same day that I change them.

    Apple's systems themselves are compromised, not the individual accounts. I would have thought that this is sufficiently obvious from all the posts for any intelligent person to realize.

This topic is closed for new posts.

Other stories you might like