iTunes account hijacked

Posted:
in iPod + iTunes + AppleTV edited January 2014
Today, I opened iTunes, and was greeted with a message that told me that for security reasons, I had to change my iTunes password.



It turns out that someone hacked my iTunes Store password. I have no idea whatsoever how this was done. My password was reasonably secure. I haven't logged in from any unfamiliar devices. My only guess is that a database storing my record was hacked, which means other iTunes Store customers are probably also affected.



Somehow Apple knew that something was amiss, which is why I was asked to change my password.



Thank God I didn't have a credit card associated with my iTunes account.



First, apparently, the hacker deauthorized all my computers for playback (I was already maxed out at five, three of which were no longer being used). They then authorized five new computers, so I have no free authorizations left for my own legitimate machines. I can't fix it using normal means (deauthorizing the five rogue machines) until December 2, 2012. I'm relying on Apple to do this in response to my customer service request.



After managing the authorizations, the hacker used the iTunes Store credit available in my account to purchase two albums and a song:



All for What by A Broken Silence $9.99

Cuckoo Boohoo by A Toys Orchestra $9.99

Data Italia by Skatebård $0.99



I now realize, while writing this message, that those computers and devices using my iTunes account have access to my iTunes Match content, which consists of 22,000 songs. I suspect my account was targeted because of iTunes Match.



So now, not being authorized for playback of content, I can't sync my devices. I can't playback purchased content on my two Macs. I cannot purchase new content, including free content. I cannot use iTunes Match, except on my iPhone and iPad and Apple TV (thank God they can't deauthorize devices remotely).



But most importantly (and I'm afraid of record labels' reaction to this), if this is a widespread problem, all my 22,000 songs will have been downloaded and are available for the hacker to share forever, even after their computers have been deauthorized by Apple. And all of the songs of anyone else who was hacked. Meaning almost everything, ever.



This is a huge issue, not just for me, but for Apple. Something tells me we might be hearing more about this hacking activity in the news in the near future.



Since I didn't have my iTunes account linked to a credit card, the impact to me (other than the temporary inconvenience of the deauthorization) is minimal. I fully expect Apple to act quickly to deauthorize the five rogue machines, refund my $21, and things will be the same on my end.



But is iTunes Match as we know it going to survive these events once the record labels react, if this hacking is indeed as widespread as I fear?

Comments

  • Reply 1 of 4
    This seems extremely similar to what was happening earlier this year for in-app purchases.



    http://www.securitynewsdaily.com/hac...-go-away-0889/



    Just like those people targeted in earlier attacks, I only use iTunes Gift Cards for purchases.



    But this time around, it seems to be related to the theft of iTunes Match songs, instead of in-app credits.
  • Reply 2 of 4
    Update: Apple has quickly deauthorized all computers, says they are refunding my $21 (they haven't yet), and they have disabled my account. I'm waiting for the account to be enabled, after requesting them to do so as per their instructions.



    I was already able to reauthorize my MacBook Pro.
  • Reply 3 of 4
    Everything's back to normal, except I now have multiple non-alphanumerics in my password and I'm going to change my password every month.
  • Reply 4 of 4
    escherescher Posts: 1,811member
    Phew! Glad this story ended well, tonton!



    At work I'm already forced to have passwords with 12 or more characters and 4 types of characters. But I have to admit that on the Internet, I should be just as careful, voluntarily and in my own best interest.
Sign In or Register to comment.