Only 400 iTunes accounts compromised in fraud, Apple says
Apple this week revealed more details on an iTunes fraud case, in which one developer managed to boost their sales, revealing that just 400 iTunes accounts were compromised.
Over the weekend, it was reported that some iTunes account holders were involved in a number of fraud cases. Just how many accounts were compromised, though, was unknown. Clayton Morris of Fox News reached out to Apple for comment, and reported the company's official word on his personal blog this week.
"Apple told me that an extremely small percentage of users, about 400 of the 150 million iTunes users - that is less than 0.0003% of iTunes users, were impacted," he wrote.
It's the second time this week that Apple spoke out publicly on the issue. The company had previously revealed that the developer whose sales were boosted, Thuat Nguyen, was banned from the App Store and his applications were removed.
Nguyen occupied over 40 of the top 50 applications in the App Store's books category with a number of Japanese manga titles. The books were listed under the name "mycompany" with the website "Home.com." Apple's official statement said that Nguyen was involved in "fraudulent purchase patterns."
The company also recommended that users review their iTunes and credit card accounts to ensure that no unauthorized activity has taken place.
In addition, Apple said its own servers were not compromised at all in the incident, but the company is taking steps to further protect consumers who may have had weak passwords compromised.
"Apple says that starting today they're implementing a new security feature to minimize this type of fraud in the future," Morris wrote. "Basically you'll have to enter your credit card's CCV code a little more often from now on."
Over the weekend, it was reported that some iTunes account holders were involved in a number of fraud cases. Just how many accounts were compromised, though, was unknown. Clayton Morris of Fox News reached out to Apple for comment, and reported the company's official word on his personal blog this week.
"Apple told me that an extremely small percentage of users, about 400 of the 150 million iTunes users - that is less than 0.0003% of iTunes users, were impacted," he wrote.
It's the second time this week that Apple spoke out publicly on the issue. The company had previously revealed that the developer whose sales were boosted, Thuat Nguyen, was banned from the App Store and his applications were removed.
Nguyen occupied over 40 of the top 50 applications in the App Store's books category with a number of Japanese manga titles. The books were listed under the name "mycompany" with the website "Home.com." Apple's official statement said that Nguyen was involved in "fraudulent purchase patterns."
The company also recommended that users review their iTunes and credit card accounts to ensure that no unauthorized activity has taken place.
In addition, Apple said its own servers were not compromised at all in the incident, but the company is taking steps to further protect consumers who may have had weak passwords compromised.
"Apple says that starting today they're implementing a new security feature to minimize this type of fraud in the future," Morris wrote. "Basically you'll have to enter your credit card's CCV code a little more often from now on."
Comments
'customers who had weak passwords compromised'.
I guess now we'll hear from all the people who think Apple should look over your shoulder while you select a password and make sure the password meets Apple's standards.
After that, we'll hear from all the people protesting Apple's interference in your selecting any password you want - no matter how weak it is.
After all, we all know that whatever happens, it's Apple's fault (unless something good happens, and then it's clearly not Apple's doing).
This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?
Because it's a time-dependent event. They measure sales over some small time period. Let's say that a top selling book sells 100,000 books in a year. That's under 300 per day. If they buy a single book from every one of those new accounts in the same day, it would jump to the top. It's really much easier to think about things rationally rather than accusing Apple of lying every time you don't understand something.
In reality, the numbers are probably even smaller. The data is somewhat older, but only 900,000 books OF ALL TITLES in the first month. I don't know how these 'book apps' fare compared to iBooks downloads, but it's likely that even 100 sales in a day would put you into the top ranking.
This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?
I would love to hear how your two questions relate to you opening statement.
It sounds like you have come to a conclusion without any comprehension of the subject in question or really wanting to know the answer at all.
My hat's off to jragosta for trying. Not that it would matter. IMO.
BTW Jragista, you're right on re your first comment.
Since this is a fraud case, is the FBI going to investigate?
wtf, guys.
ONLY?
wtf, guys.
When compared to 150 million users I think "only" is the proper adjective
Woops I guess this horse was already beaten. Forget what i said.
Is 400 purchased copies enough to get to top selling?
Actually, yes. Book sales are still VERY low at this point, it doesn't take much at all to make the charts. Previous articles have covered this.
I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited.
As you said, they didn't actually say that, you just assumed it was implied. I would think it wouldn't be hard to tell if the servers were actually hacked versus things like guessing passwords. Especially if Apple can check the passwords of the hacked accounts and see if many of them were weak passwords.
ONLY?
wtf, guys.
Out of 150 million accounts, 400 isn't many at all. About three ten thousandths of a percent. I bet there are a LOT more than that that have the password "password". And I'd bet many other sites like credit cards, other online stores, etc have at least that high a percent of accounts hacked. While hacked accounts are a bummer, what exactly do you expect apple to do, test passwords and require ones that aren't weak? Which of course would just lead to more whining from a different group of people...
But its interesting that you only need 400 people to buy an app to become #1 on iTunes.
That's because in this case they aren't apps, they are books which are much newer and not selling nearly as many yet. The article is a bit confusing on this one.
"Only...," tell that to one of the 400 that it is only. I am sure no one here would want to be one of the "only."
Hopefully Apple takes steps to fix this long term and plugs other holes. If they're not already they should hire pro-hackers to help them spot issues.
Only 400 iTunes accounts compromised in fraud, Apple says
"Only...," tell that to one of the 400 that it is only. I am sure no one here would want to be one of the "only."
Hopefully Apple takes steps to fix this long term and plugs other holes. If they're not already they should hire pro-hackers to help them spot issues.
See post #2.
This happened while I was on vacation - I was sunning on the beach in Hawaii with my iPad and received the usual iTunes store receipt when I noticed about $200 worth of stuff I didn't buy. In a period of two days, the hackers had downloaded many games and some music. I immediately changed my password and contacted Apple.
My process was to contact my local police dept. to report the fraud and obtain an incident number (for my bank, not apple), report the fraud to the bank, giving police incident number and vendor info (Apple iTunes, fraud history in the form of the iTunes receipts). My bank provisionally reversed the charges pending their research with Apple. This is my bank; yours may differ in process and results.
I also changed EVERY password on all my accounts. Not that they were all this weak but I felt better afterwards. Then I took a shower.
I guess now we'll hear from all the people who think Apple should look over your shoulder while you select a password and make sure the password meets Apple's standards.
If by Apple standards you mean the basic standards for a good password then yes, they should force it.
Fact is, now there are a lot of non geeks out there online. Grannies etc that have no idea really what they are doing. They don't understand about good passwords, good security questions etc. It sucks when they have to learn it by someone hacking something. Better to teach them and guide them up front.
And having a system that vets that you aren't using 12345678 or AAAAAAAA or that you put in at least one non letter etc is not telling you what your password should be. It's just teaching you how to make up one
And it is in Apple's best interest cause time to reverse charges, etc is money for them.
This sounds like bullcrap from Apple. How can 400 accounts make 40 books to jump into top 50 if we have over 150.000.000 iTunes accounts? Is 400 purchased copies enough to get to top selling?
Because it's a time-dependent event.
Exactly. I've seen top lists change day by day and some almost hourly. It's all automated it would seem, based on what has sold over X period.
ONLY?
wtf, guys.
Yeah. Only. They caught it and shut it down before even 1/100th of the number of accounts were affected. That warrants an only.
I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited.
Any company with an online system worth its weight has logs of logs of logs that would show a brute force attempt. So they know it wasn't that.
And they can probably see the passwords on the accounts affected or even possibly just asked said parties. With a weak password or security question it's easy to social hack your way into a system
I'm curious how Apple came to the conclusion their statement implies: That weak user passwords is the sole vulnerability that was exploited. I certainly wouldn't argue against it being the most likely cause. Probably far more than 400 out of any set of 150 million people would unwisely choose to use weak passwords even if the account ties to their credit card. But how do they know? Was it simply a process of elimination - "We verified that our servers weren't compromised so it must have been guessed passwords," - or do they have some evidence that Thuat used a password cracker program? I hope its more than the former because its pretty tough to prove the negative that servers weren't compromised.
Since this is a fraud case, is the FBI going to investigate?
It's far more likely that their passwords were phished from social networking sites. Users all to often use the same login and passwords across multiple online accounts. Phishing social network sites is far easier. From there it would be simple to validate if the credentials worked in iTunes. It's highly unlikely that they used dictionary attacks, since Apple will lock an iTunes account after too many failed attempts.
It seems somewhat funny now, but it sure wasn't at the time.
Imagine having Gmail as your primary email account, and seeing a notification come through from Apple that you just purchased a $200 gift card.
Then, within seconds, watch 10 to 20 additional notifications come through with the exact same message!
In the end, it was determined that Gmail itself had been hacked and that was how they got my iTunes password. Lesson learned. Stronger passwords and no more Gmail for me.
Having had my iTunes account hacked a year ago in January, I can tell you that it's not a fun experience. Apple's security team, however, was top notch.
It seems somewhat funny now, but it sure wasn't at the time.
Imagine having Gmail as your primary email account, and seeing a notification come through from Apple that you just purchased a $200 gift card.
Then, within seconds, watch 10 to 20 additional notifications come through with the exact same message!
In the end, it was determined that Gmail itself had been hacked and that was how they got my iTunes password. Lesson learned. Stronger passwords and no more Gmail for me.
You could simply use a different password in iTunes, and that would stop this kind of hack cold. I don't really see how GMail is relevant. It's not only stronger passwords, but different passwords rather than a common password across all of your online accounts.
You could simply use a different password in iTunes, and that would stop this kind of hack cold. I don't really see how GMail is relevant. It's not only stronger passwords, but different passwords rather than a common password across all of your online accounts.
I had forwarded an attachment from work to home that had a list of some of my common passwords. Not a smart move, but that's how they got it from Gmail.