Apple ID security bolstered, forums taken offline after apparent hack
Apple's online support discussion forums were taken offline this weekend after the site was apparently targeted by a malicious attack. The company has also increased its Apple ID account security (which is shared by iTunes) following earlier account fraud.
Discussions taken offline
Users reported that the company's official support discussion pages were unavailable on Saturday after the site first presented the message "for fun, by tojen," without any other content (pictured below).
Following the apparent hack, the site was redirected to a "backsoon/discussionstempaway" URL that simply stateed, "we're sorry, Apple Discussions is temporarily unavailable. We'll be back soon. Until then, please visit http://www.apple.com/support";
The discussion site appeared to remain offline throughout the weekend for some users who entered the discussions.apple.com URL manually or arrived using a saved bookmark, but direct links to discussion forum threads continued to work and entering the discussion site through Apple's support links also seemed to work normally.
This suggests the attack may have targeted external DNS servers or Apple's content delivery partners, sending users to an incorrect or outdated address of compromised servers that had been taken offline.
Increased security measures for iTunes accounts
Some users expressed concern about having logged into the support site using their Apple ID, which for many users is shared with their credit card linked iTunes account and therefore could be used to make fraudulent purchases if the account information were actually intercepted by a third party.
To avoid any concerns, users can review their iTunes purchases for unauthorized transactions and change their account passwords. A relatively small number of iTunes accounts were targeted by fraud in July, resulting in the inflated popularity of a specific developer's apps. Apple subsequently removed the developer from iTunes.
Apple has also increased the security of iTunes accounts, requiring users to verify their account information when they log into new devices (and associate their iTunes account with that Mac, Apple TV, iPhone, iPod Touch, or iPad), and now requires that new iTunes account passwords include at least 8 characters with mixed capitalization. Logging into certain devices, including Apple TV, now prompts users to update their password to the new minimum security standard.
Discussions taken offline
Users reported that the company's official support discussion pages were unavailable on Saturday after the site first presented the message "for fun, by tojen," without any other content (pictured below).
Following the apparent hack, the site was redirected to a "backsoon/discussionstempaway" URL that simply stateed, "we're sorry, Apple Discussions is temporarily unavailable. We'll be back soon. Until then, please visit http://www.apple.com/support";
The discussion site appeared to remain offline throughout the weekend for some users who entered the discussions.apple.com URL manually or arrived using a saved bookmark, but direct links to discussion forum threads continued to work and entering the discussion site through Apple's support links also seemed to work normally.
This suggests the attack may have targeted external DNS servers or Apple's content delivery partners, sending users to an incorrect or outdated address of compromised servers that had been taken offline.
Increased security measures for iTunes accounts
Some users expressed concern about having logged into the support site using their Apple ID, which for many users is shared with their credit card linked iTunes account and therefore could be used to make fraudulent purchases if the account information were actually intercepted by a third party.
To avoid any concerns, users can review their iTunes purchases for unauthorized transactions and change their account passwords. A relatively small number of iTunes accounts were targeted by fraud in July, resulting in the inflated popularity of a specific developer's apps. Apple subsequently removed the developer from iTunes.
Apple has also increased the security of iTunes accounts, requiring users to verify their account information when they log into new devices (and associate their iTunes account with that Mac, Apple TV, iPhone, iPod Touch, or iPad), and now requires that new iTunes account passwords include at least 8 characters with mixed capitalization. Logging into certain devices, including Apple TV, now prompts users to update their password to the new minimum security standard.
Comments
I know I can create a different one just for iTunes but that breaks integration with iPhone stuff (email, FindMyiPhone, etc)
I am always careful.
The problem here is that using this method, a clever hacker could easily have inserted a phishing page into the genuine Apple site, and no one would have been the wiser. Scary!
The problem here is that using this method, a clever hacker could easily have inserted a phishing page into the genuine Apple site, and no one would have been the wiser. Scary!
I don't think it would have progressed that far.
I just deleted the hack warning E-Mail a couple weeks ago, otherwise I'd give a more thorough description. I hadn't logged into my account since 2005 maybe, so I can't remember if they integrated it into Apple's universal ID system or not, but I don't think they did. Given the incredibly low traffic the ALI had and its seeming abandonment by Apple I sort of understood how a security lapse could happen.
To avoid any concerns, users can review their iTunes purchases for unauthorized transactions and change their account passwords..
Steve should make us change our passwords on a weekly basis to prevent Apple from looking bad.
Seems that a few things are either falling through the cracks or we are just hearing about these incidents now days.
It's time that an iTunes account (for a specific ID) was able to have different password that the one used for email etc.
I know I can create a different one just for iTunes but that breaks integration with iPhone stuff (email, FindMyiPhone, etc)
I'd like to see Apple support paypal as a form of payment vs credit card.
The site hack though is so much more complex. It could just as easily have been a specific ISP that was targeted, maybe "tojan" figured out his ISP hadn't installed the latest DNS patches and decided to have some fun.
If it is revealed that Apple's DNS or hosting service was hacked this would be quite embarrassing though. All in all I hope incidents like this help Apple to see they aren't invincible and that they must always have a proactive and not reactive approach.
I don't think it would have progressed that far.
well its a good thing you're not doing the thinking because that's the quickest easiest way to collect information.