Wow.  Talk about an exciting July 4th weekend.  Two major web services, the App Store and YouTube have been hacked.  It appears a rogue developer has gained unauthorized access to a number (currently unknown) of iTunes accounts and has pushed their books into the top 50.  Clearly dominating the entire market place.  You can see for yourself here (if you hurry), I’ll post a screenshot below.  As of right now, there has been no official statement from Apple nor do we know the extremity of the situation.  However, we do know that some people have been reporting at least $200 of books being purchased without their consent.

If you go to click the support and company links in iTunes you are taken to a Home.com, which is nothing but a landing page.  Additionally, Google Search results for Thuat Nguyen (the author/developer, supposedly) do not provide any specific details as to who the individual or company actually is.  We’ll keep you updated as we are able to gather more information.

Update 1: It appears that this issue may be growing more widespread, however, until an official statement from Apple is released, it’s still speculation.  Nonetheless, MacRumors has a thread with several stories from users discussing their compromised iTunes accounts.


One user states:

Unfortunately I have to add myself to the parade of iTunes fraud cases in here.  I recently checked my credit card account activity online and found the same pattern described throughout this thread. Unauthorized iTunes charges that, for me, came out to about $188. First one was $1.29, then the next five were between $40 – $50 (although one was for $12.68), then another for $2.11 this month. So far seven charges in all before I caught it and closed down my account. Not sure if some are still in the pipeline.

Update 2: Still no official word from Apple.  If you are concerned or your account appears to have been compromised, I would suggest you login into your iTunes account, change your accounts password, remove your credit card information, and also go through your previous purchases to ensure there is nothing there that shouldn’t be.  If you do see a purchase that you did not authorize, be sure to keep track as that will be important information your bank or credit card company will want to see as well as possibly Apple when looking to resolve the fraudulent charges.

ALSO READ
Why technology is necessary to fight climate change

Update 3: Phil Schiller, Apple’s WorldWide Product Marketing senior vice president says Apple is now investigating the situation.  Apple Insider also has posted some alarming information about how easy it is to obtain unauthorized access to iTunes accounts.

Update 4: According to Clayton Morris only 400 out of the 150 million iTunes accounts were used by the rogue developer to boost their rank in the App Store.  Morris also states that these accounts were not compromised due a security breach on Apple’s end.  It looks like the accounts were sold on various sites (see update 3 for more information), purchased by the developer or some party, and then used to buy the rogue developers applications boosting their rankings within the store.  Apple says that starting today they will have implemented a new security measures to minimize this type of fraud in the future.  Which basically means now you will have to enter your credit card’s CCV code more often.

  • Stories like this saying it was “hacked” is what causes mass hysteria and spontaneous panic. There are lists everyday floating around of email addresses and passwords. There was one published months ago of several thousand people so this is not an uncommon breach of security. People need to stop using weak passwords to begin with or falling for phishing attacks, then blame it on the company that hosts them. Fact of the matter is, most people (statistically speaking) use the same password for all sites and also use weak passwords like a series of common numbers, a common word, etc. Anybody can write a program to automatically guess these. In fact, I have seen lists of common passwords floating around. The only thing happening here is the use of one of these lists against a popular website. Does it mean it was “hacked?” – absolutely not. If it was hacked they wouldn’t have had to use other users accounts to begin with. They could have simply exploited a hole in the website. Like I said, all that has happened was something that happens everyday, but you only heard about it because it was on a popular location. This is more common then everybody thinks. 


  • >
    Share This