or Connect
AppleInsider › Forums › Mobile › iPod + iTunes + AppleTV › Only 400 iTunes accounts compromised in fraud, Apple says
New Posts  All Forums:Forum Nav:

Only 400 iTunes accounts compromised in fraud, Apple says

post #1 of 24
Thread Starter 
Apple this week revealed more details on an iTunes fraud case, in which one developer managed to boost their sales, revealing that just 400 iTunes accounts were compromised.

Over the weekend, it was reported that some iTunes account holders were involved in a number of fraud cases. Just how many accounts were compromised, though, was unknown. Clayton Morris of Fox News reached out to Apple for comment, and reported the company's official word on his personal blog this week.

"Apple told me that an extremely small percentage of users, about 400 of the 150 million iTunes users - that is less than 0.0003% of iTunes users, were impacted," he wrote.

It's the second time this week that Apple spoke out publicly on the issue. The company had previously revealed that the developer whose sales were boosted, Thuat Nguyen, was banned from the App Store and his applications were removed.

Nguyen occupied over 40 of the top 50 applications in the App Store's books category with a number of Japanese manga titles. The books were listed under the name "mycompany" with the website "Home.com." Apple's official statement said that Nguyen was involved in "fraudulent purchase patterns."

The company also recommended that users review their iTunes and credit card accounts to ensure that no unauthorized activity has taken place.

In addition, Apple said its own servers were not compromised at all in the incident, but the company is taking steps to further protect consumers who may have had weak passwords compromised.

"Apple says that starting today they're implementing a new security feature to minimize this type of fraud in the future," Morris wrote. "Basically you'll have to enter your credit card's CCV code a little more often from now on."
post #2 of 24
First!

'customers who had weak passwords compromised'.

I guess now we'll hear from all the people who think Apple should look over your shoulder while you select a password and make sure the password meets Apple's standards.

After that, we'll hear from all the people protesting Apple's interference in your selecting any password you want - no matter how weak it is.

After all, we all know that whatever happens, it's Apple's fault (unless something good happens, and then it's clearly not Apple's doing).
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #3 of 24
This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?
Marquiz d' Gabber von Gabberaarde

... and Windows Vista...
... fails on the Moon...
... 6x slower!
Reply
Marquiz d' Gabber von Gabberaarde

... and Windows Vista...
... fails on the Moon...
... 6x slower!
Reply
post #4 of 24
Quote:
Originally Posted by gabberattack View Post

This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?

Because it's a time-dependent event. They measure sales over some small time period. Let's say that a top selling book sells 100,000 books in a year. That's under 300 per day. If they buy a single book from every one of those new accounts in the same day, it would jump to the top. It's really much easier to think about things rationally rather than accusing Apple of lying every time you don't understand something.

In reality, the numbers are probably even smaller. The data is somewhat older, but only 900,000 books OF ALL TITLES in the first month. I don't know how these 'book apps' fare compared to iBooks downloads, but it's likely that even 100 sales in a day would put you into the top ranking.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #5 of 24
Quote:
Originally Posted by gabberattack View Post

This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?

I would love to hear how your two questions relate to you opening statement.

It sounds like you have come to a conclusion without any comprehension of the subject in question or really wanting to know the answer at all.

My hat's off to jragosta for trying. Not that it would matter. IMO.

BTW Jragista, you're right on re your first comment.
post #6 of 24
I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited. I certainly wouldn't argue against it being the most likely cause. Probably far more than 400 out of any set of 150 million people would unwisely choose to use weak passwords even if the account ties to their credit card. But how do they know? Was it simply a process of elimination - "We verified that our servers weren't compromised so it must have been guessed passwords," - or do they have some evidence that Thuat used a password cracker program? I hope its more than the former because its pretty tough to prove the negative that servers weren't compromised.

Since this is a fraud case, is the FBI going to investigate?
post #7 of 24
ONLY?

wtf, guys.
Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #8 of 24
Quote:
Originally Posted by jeffreytgilbert View Post

ONLY?

wtf, guys.

When compared to 150 million users I think "only" is the proper adjective
post #9 of 24
Thankfully mine was not breached.

Woops I guess this horse was already beaten. Forget what i said.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #10 of 24
Quote:
Originally Posted by gabberattack View Post

Is 400 purchased copies enough to get to top selling?

Actually, yes. Book sales are still VERY low at this point, it doesn't take much at all to make the charts. Previous articles have covered this.

Quote:
Originally Posted by heulenwolf View Post

I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited.

As you said, they didn't actually say that, you just assumed it was implied. I would think it wouldn't be hard to tell if the servers were actually hacked versus things like guessing passwords. Especially if Apple can check the passwords of the hacked accounts and see if many of them were weak passwords.

Quote:
Originally Posted by jeffreytgilbert View Post

ONLY?

wtf, guys.

Out of 150 million accounts, 400 isn't many at all. About three ten thousandths of a percent. I bet there are a LOT more than that that have the password "password". And I'd bet many other sites like credit cards, other online stores, etc have at least that high a percent of accounts hacked. While hacked accounts are a bummer, what exactly do you expect apple to do, test passwords and require ones that aren't weak? Which of course would just lead to more whining from a different group of people...

Quote:
Originally Posted by sheff View Post

But its interesting that you only need 400 people to buy an app to become #1 on iTunes.

That's because in this case they aren't apps, they are books which are much newer and not selling nearly as many yet. The article is a bit confusing on this one.
post #11 of 24
Only 400 iTunes accounts compromised in fraud, Apple says

"Only...," tell that to one of the 400 that it is only. I am sure no one here would want to be one of the "only."

Hopefully Apple takes steps to fix this long term and plugs other holes. If they're not already they should hire pro-hackers to help them spot issues.
post #12 of 24
Quote:
Originally Posted by mesomorphicman View Post

Only 400 iTunes accounts compromised in fraud, Apple says

"Only...," tell that to one of the 400 that it is only. I am sure no one here would want to be one of the "only."

Hopefully Apple takes steps to fix this long term and plugs other holes. If they're not already they should hire pro-hackers to help them spot issues.

See post #2.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #13 of 24
400 eh, that's a nice even number.
post #14 of 24
Miserable cuss that I am. So here's the thing, I had a weak password, very weak. In fact the hackers trolled my online photo gallery and found a reference to a pet name and BINGO. I know, learned that lesson.

This happened while I was on vacation - I was sunning on the beach in Hawaii with my iPad and received the usual iTunes store receipt when I noticed about $200 worth of stuff I didn't buy. In a period of two days, the hackers had downloaded many games and some music. I immediately changed my password and contacted Apple.

My process was to contact my local police dept. to report the fraud and obtain an incident number (for my bank, not apple), report the fraud to the bank, giving police incident number and vendor info (Apple iTunes, fraud history in the form of the iTunes receipts). My bank provisionally reversed the charges pending their research with Apple. This is my bank; yours may differ in process and results.

I also changed EVERY password on all my accounts. Not that they were all this weak but I felt better afterwards. Then I took a shower.
post #15 of 24
A somewhat-high profile event such as this would be a good excuse for Apple to start implementing password rules.
post #16 of 24
... and that's 401 too many!
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
post #17 of 24
Quote:
Originally Posted by jragosta View Post


I guess now we'll hear from all the people who think Apple should look over your shoulder while you select a password and make sure the password meets Apple's standards.

If by Apple standards you mean the basic standards for a good password then yes, they should force it.

Fact is, now there are a lot of non geeks out there online. Grannies etc that have no idea really what they are doing. They don't understand about good passwords, good security questions etc. It sucks when they have to learn it by someone hacking something. Better to teach them and guide them up front.

And having a system that vets that you aren't using 12345678 or AAAAAAAA or that you put in at least one non letter etc is not telling you what your password should be. It's just teaching you how to make up one

And it is in Apple's best interest cause time to reverse charges, etc is money for them.

Quote:
Originally Posted by gabberattack View Post

This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?

Quote:
Originally Posted by jragosta View Post

Because it's a time-dependent event.

Exactly. I've seen top lists change day by day and some almost hourly. It's all automated it would seem, based on what has sold over X period.



Quote:
Originally Posted by jeffreytgilbert View Post

ONLY?

wtf, guys.

Yeah. Only. They caught it and shut it down before even 1/100th of the number of accounts were affected. That warrants an only.


Quote:
Originally Posted by heulenwolf View Post

I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited.

Any company with an online system worth its weight has logs of logs of logs that would show a brute force attempt. So they know it wasn't that.

And they can probably see the passwords on the accounts affected or even possibly just asked said parties. With a weak password or security question it's easy to social hack your way into a system

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #18 of 24
Quote:
Originally Posted by heulenwolf View Post

I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited. I certainly wouldn't argue against it being the most likely cause. Probably far more than 400 out of any set of 150 million people would unwisely choose to use weak passwords even if the account ties to their credit card. But how do they know? Was it simply a process of elimination - "We verified that our servers weren't compromised so it must have been guessed passwords," - or do they have some evidence that Thuat used a password cracker program? I hope its more than the former because its pretty tough to prove the negative that servers weren't compromised.

Since this is a fraud case, is the FBI going to investigate?

It's far more likely that their passwords were phished from social networking sites. Users all to often use the same login and passwords across multiple online accounts. Phishing social network sites is far easier. From there it would be simple to validate if the credentials worked in iTunes. It's highly unlikely that they used dictionary attacks, since Apple will lock an iTunes account after too many failed attempts.
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
post #19 of 24
Having had my iTunes account hacked a year ago in January, I can tell you that it's not a fun experience. Apple's security team, however, was top notch.

It seems somewhat funny now, but it sure wasn't at the time.

Imagine having Gmail as your primary email account, and seeing a notification come through from Apple that you just purchased a $200 gift card.

Then, within seconds, watch 10 to 20 additional notifications come through with the exact same message!

In the end, it was determined that Gmail itself had been hacked and that was how they got my iTunes password. Lesson learned. Stronger passwords and no more Gmail for me.
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
post #20 of 24
Quote:
Originally Posted by justflybob View Post

Having had my iTunes account hacked a year ago in January, I can tell you that it's not a fun experience. Apple's security team, however, was top notch.

It seems somewhat funny now, but it sure wasn't at the time.

Imagine having Gmail as your primary email account, and seeing a notification come through from Apple that you just purchased a $200 gift card.

Then, within seconds, watch 10 to 20 additional notifications come through with the exact same message!

In the end, it was determined that Gmail itself had been hacked and that was how they got my iTunes password. Lesson learned. Stronger passwords and no more Gmail for me.

You could simply use a different password in iTunes, and that would stop this kind of hack cold. I don't really see how GMail is relevant. It's not only stronger passwords, but different passwords rather than a common password across all of your online accounts.
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
post #21 of 24
Quote:
Originally Posted by DJRumpy View Post

You could simply use a different password in iTunes, and that would stop this kind of hack cold. I don't really see how GMail is relevant. It's not only stronger passwords, but different passwords rather than a common password across all of your online accounts.

I had forwarded an attachment from work to home that had a list of some of my common passwords. Not a smart move, but that's how they got it from Gmail.
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
post #22 of 24
Quote:
Originally Posted by justflybob View Post

I had forwarded an attachment from work to home that had a list of some of my common passwords. Not a smart move, but that's how they got it from Gmail.

lol..Not something I would ever do. SMTP is just not secure enough considering the path your message could take is entirely out of your control.

I've run into similar situations where I needed to pass confidential information from work to home. I typically use third party sites to upload and encrypt the data so that I could download it later when I accessed it from home. For instance, simply zipping up the data in a password protected file and putting it in a file vault (my internet provider provides this service to me for free). Failing that, I think I would just rely on sneakernet and print it out and stick it in my wallet
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
3.4GHz Quad-Core Intel Core i7 / iMac 27" 2.8 Quad i7 / 17" Macbook Pro Unibody / Mac Mini HTPC / iPhone 6 Plus 64GB /iPad with Retina Display 64 GB
Reply
post #23 of 24
Quote:
Originally Posted by DJRumpy View Post

lol..Not something I would ever do. SMTP is just not secure enough considering the path your message could take is entirely out of your control.

I've run into similar situations where I needed to pass confidential information from work to home. I typically use third party sites to upload and encrypt the data so that I could download it later when I accessed it from home. For instance, simply zipping up the data in a password protected file and putting it in a file vault (my internet provider provides this service to me for free). Failing that, I think I would just rely on sneakernet and print it out and stick it in my wallet

Yeah, not the brightest thing I have ever done. For sure.

I now encrypt EVERYTHING.
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
post #24 of 24
Quote:
Originally Posted by jeffreytgilbert;

ONLY?

wtf, guys.

Yes. Only. As always - the numbers are relative: 400 Kin users would be a MUCH bigger debacle.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPod + iTunes + AppleTV
AppleInsider › Forums › Mobile › iPod + iTunes + AppleTV › Only 400 iTunes accounts compromised in fraud, Apple says