iTunes user accounts hacked

iTunes experienced a user account hack in which user accounts were stolen and unauthorized purchases made with those accounts over the July 4th long weekend.

This hack apparently was by rouge developers who stole user accounts and rang up purchases of their products. Some users reported purchases in the order of a few hundred dollars in a short span of time over the July 4th holidays.

When I discuss security with clients, who are typically owners of online stores, I keep mentioning anomaly detection as one of the ways to identify a breach or attempted breach. For example, if you get a lot of invalid logins from a set of IPs in a very short span of time, someone might be a trying brute force attack with different combinations of login credentials.

Looks like Apple either did not have something to trigger sudden surges in sales or they just chose to ignore it. For instance, one user reported that his purchases totaled $15 over the past year and then about $1100 were racked up just over the weekend. If the entire amount was for one item, it might still not raise suspicion, but if it is for a bunch of apps or the same app over and over again, there is certainly room for suspicion. All the user requires is an email notifying of the purchases immediately.

According to the user, Apple’s response was to ask them to not have iTunes web-store store their credit card information and point to their policy of no refunds. Users, for the most part, have been left to work with their credit cards/Paypal to stop payments. Even with that, the fact remains that the user accounts were stolen.

Maybe I am making too much of this, but coupled with their recent response to the iPhone antenna problem, this seems to be a case of Apple taking their customers for granted. With the growing popularity of Apple products, these kinds of incidents are only going to grow and it would be prudent for Apple to come up with a long term strategy for handling them. They have the experiences of Microsoft to learn from.

Here is the official Apple statement regarding the hack:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.
Developers do not receive any iTunes confidential customer data when an app is downloaded.
If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.