Monday, April 11, 2011

App Store account hacked

After I bought my iPad, I bought $50 in gift cards to the App Store, figuring that this was probably simpler than having dozens of $1-5 charges on my debit card. As of yesterday, I should have had around $20 left. I went to check my account, and instead found a balance of 90 cents.


I got on iTunes on my desktop to pull up my purchase history, and yesterday morning someone bought 13 apps for a total of $19.17, half of which are in Chinese (a language I don't even speak).


Since then, I have emailed Apple, who claim that the order is still processing but will be refunded once it's done (which might take up to five days). They also froze my account (I'd already changed my password, but I assume this is standard), which I have since gotten reinstated. So now I can download free apps again, at least, though I'm still waiting to get my gift card balance back before I can spend money again - not like I'm going to put my credit card info in there now! (I didn't have a card listed before, luckily.)

I also did a bit of research into how this might have happened. I haven't downloaded anything via iTunes on my computer since last May (and haven't spent money there since 2005); recently I have only logged in via the App Store on the iPad. I found this MetaFilter post and from there a huge thread on the Apple support forums with hundreds of people having the same or similar problems over the past few months.

There seem to be several flavors of scams going around, but two seem especially popular: In one, they target people with gift card balances and drain the gift card. In the other, they wipe the person's current information and put in a stolen credit card and new address, which they use to buy lots of chips in a poker app.

There's some speculation that some of the gift card drainings may be connected to the huge fiasco where gift cards were stolen and sold on TaoBao, a Chinese auction site. Some people later bought legitimate cards only to find that the number had already been used. But I'm not sure whether/how having my gift card # would allow someone to buy the apps on my account.

Another proposed source is that everyone who's been hacked was part of the big Gawker password hacking fiasco and simply used the same password on the app store. Now, I do have a Gawker account (which I've used like twice on Jezebel, ever), but according to this widget neither my username nor email address were included in the released database, so I don't think that's how they got it. (I honestly don't know whether my Gawker password was the same as my App Store password - I admit that I was using a password for the App Store that I use in other places, but I don't remember if I was using it there and I changed my Gawker password after this fiasco just in case.)

Possibly some other site where I happened to use the same password was hacked and I never heard about it? I read enough tech news that I doubt it, but if it was some small site somewhere it's possible.

Or is there an actual security issue with the App Store? Since this happened to me yesterday, several more people have posted on the Apple Support thread who had the exact same experience at the same time. Did we ALL have accounts on the same obscure website whose hacking went unmentioned in the media, and all happened to use the same email and password with Apple? We certainly all had iTunes/App Store accounts. I know that iTunes was recently patched due to a security issue that may have been contributing to similar cases a couple of months ago; I have to wonder if the App Store is going to get a similar update soon.

If I were only an iTunes user, this would be as simple as not using it anymore. Unfortunately, of course, the App Store is the ONLY place for me to buy the software that makes my $500+ iPad investment worthwhile (until an iPad 2 jailbreak happens). So I guess for now my best option is to continue using gift cards to keep my CC# safe, but only buy small denominations ($10 at a time, I suppose) and don't enter one until I'm ready to use at least a good chunk of the balance. My emails from Apple have been very nice, but some people in the thread report being told that their refund is will be a "one-time deal," which makes it sound like if you get hacked again, you're out of luck. So best to keep as little money in there as possible.

Amusingly, Apple's security in the case of such a breech is kind of... lacking. The only "security information" I had to give them to get my account unfrozen and my password reset consisted of: the address on the account, the order # of my last legitimate order OR the names of one of the apps on it, my first name, and my birthday. Someone who had hacked into my account would have had easy and immediate access to all of this information save the birthday, and who knows if that's in there somewhere if they know where to poke around. I made my account years ago, I don't remember every piece of data I gave them.

Here's hoping my gift card balance comes back soon, and whatever security leak is causing this gets patched up (whether it's with Apple or someone else).

No comments:

Post a Comment