Scott Hanselman

Welcome to the Cloud - "Your Apple ID has been disabled."

August 12, 2011 Comment on this post [104] Posted in Apple | Musings
Sponsored By

Welcome Hacker News, Slashdot, DF and TechMeme. Be sure to read the follow up post on "What Good Fraud Detection Looks Like."

Your Apple ID has been disabled. Evil.

So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.

The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.

I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.

I got this email out of nowhere yesterday.

Dear Scott Hanselman,
Your Apple ID,, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.

The phrasing of this email is irritating and wrong-headed. Here's why.

  1. They know it's a device they've never seen before.
  2. They let it happen anyway.
  3. They tell me it's for my good in a self-congratulatory way.
      This email was sent as a safeguard designed to protect you against unauthorized purchases.
  4. But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.

Evil AppStunning.

I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.

If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.

The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.

Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.

Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.

And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.

Evil Receipt

Evil Music.I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either. 

Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.

According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.

Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.

If you have stores about fraud or hacking, tell me your stories at

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
August 12, 2011 21:13
Hi Scott,

Every time I make a purchase with a new device using my Apple ID it asks me to enter the security code on my credit card. Otherwise the transaction from within the App Store or iTunes Store never completes. Once I enter my CC security code and finalize the purchase I also get the email you mention. In your case I think the person doing the fraudulent purchases has both your Apple ID and you CC info.

Hope you can solve this soon.


- Michel
August 12, 2011 21:19
Scary. Please follow up with more info once you got this sorted out, i.e. did you get a refund and did you manage to figure out how someone got your password (Trojan/keylogger on your iTunes computer maybe?)
August 12, 2011 21:20
@scott and @Michel given that Scott is careful with his password, the only way that can happen is a keylogger !?!?

Whatever it is this is dang crazy and scary!

I hope this gets resolved for Scott quickly.
August 12, 2011 21:26
August 12, 2011 21:29
That's nasty. I make a lot of purchases on various devices (sometimes for multiple people) and luckily have never run into a problem. Like Scott, I have insane passwords (based on phrases that hit the size limit on most sites) and cannot fathom anyone brute forcing or sniffing them (I have 3 firewalls at home, don't ask).

Hope it gets worked out and Apple isn't a douche over things. Sometimes they're pretty good but depends on the rep you talk to. However I agree it's silly they let the purchase go through when they knew it was on an unknown device. I can see the balance between customer service and privacy protection but frankly I would prefer them to deny the purchase until I called a 24 hour number or something with confirmation information.
August 12, 2011 21:31
This is sooo funnty:
August 12, 2011 21:37
One way you could've gotten hacked is by using your iDevice on an open network (firesheep anybody?). That said.. this is a great reminder of when the cloud could turn evil. Suck, sorry for you, hope you get it resolved soon!
August 12, 2011 21:43
I had a similar issue with my bank. They called me an told me there were questionable transactions on my account that could be fraudulent. Upon hearing the details I told them they were indeed fraudulent (multiple many hundreds of dollar purchases at the same big box chain in multiple cities in one state across the nation from me). They spotted it. Bravo!! Now the crazy part - they then let the charges hit my account, clear out my balance and I had to call back in and dispute the charges for three weeks while no money sat in my account. What's the point of that kind of service?
August 12, 2011 21:46
Michel - I did that too, the switched to PayPal. I'm going to move to iTunes Gift cards bought with cash, I think.

Sebastiaan - I don't use open wifi in cafe's anymore. I use a personal mobile hotspot for this reason

Everyone - I can't imagine a keylogger but does anyone have suggestions for a detector?
August 12, 2011 21:48
Sorry Scott got back from lunch and saw this post and Phil's in my reader next to each other and couldn't resist.
August 12, 2011 21:56
I guess I might be the only one that doesn't trust a company [Apple] where security of the device is an extra feature and not a standard implementation. My iTunes needs my password, changes every time I am requested to enter it. And if I make a purchase I use PayPal, with a Pay Hold so I have to validate the purchases.

I have never had an issue like this, but it is because I did not depend on someone protecting me. Sorry to hear that this happened to you.

August 12, 2011 22:20
I tweeted to Scott that the evidence in this case is highly likely pointing to an exploit vs a keylogger/old fashioned identity theft.

If the problem persists after you change your password you're generally left with:
1) The problem goes away. If this happened, perhaps they did just brute force your password or got it through some other one-time means.
2) There's still a keylogger/detection scheme active and they'll continue to make purchases.
3) There is no scheme active but whatever this exploit is allows access to game Apple's purchasing system.

I highly suspect this is will result in #3. Look at the purchases. $40 isn't cheap in iOS land and if they were smart, chances are they targeted someone that wouldn't think that much money was a discrepancy. Normal id theft (as if it's normal) of the banking variety generally results in large purchases to drain the account immediately in a one-time snatch-and-grab sort of thing. If these stayed at $1 purchases, they might have *never* been detected. This seems too calculated but the door can swing both ways there.

I didn't really want to harp on the evidence because the real issue here is what Chris touched on, that they are allowing you to make bank transactions which are at a point where it's too late to do much. Sure you may be able to get your money back but I think they hope the hassle is so great that you just don't bother. While Bryan Wood has one of the right answers, would you make those suggestions for say your mother? Could they even handle the technical hurdle? This is something that could easily be a part of their system but they're choosing not to by the tone of the email and links provided. I really hope that changes because I know a lot of people that chose iOS devices due to the simplicity and something like this is bound to hit them first. Scott's highly abnormal in this instance...
August 12, 2011 22:23
Holy s***!! What the heck is goin' on?

This happened to me too, but "out of nowhere" appears on my paypal account a subscription about an application for iPhone called Paymo. WHAT THE F*** IS THIS? I never heard that name before. I just cancelled that damn subscription.

August 12, 2011 22:24
Scott, how about when you're abroad, in airports, etc?
August 12, 2011 22:32
sebastiaan - I avoid it as MUCH as possible.
August 12, 2011 22:33
In regards to the person saying that you have to enter a responce to Apple Itunes when you use a new device, that only occurs with Credit Cards...if you have PayPal(as Scott does/did) or Gift Cards, it will not ask you for any verification.

August 12, 2011 22:34
A massive security hole for certain.

One of the things I do that really protects my online funds is I do not Use a regular Visa/MC/Amex. I have a "Debit CC" which only contains as much cash as I ever load onto it. It's not as convenient as whipping out the Visa but almost all online sites accept them as a CC. The advantage is that if I can not lose any more on the card, than I preload onto it. If it's compromised ever, the most I'll lose is maybe $15. I can load far more than that on there but I don't. It also keeps me conscious as to how much I can/will spend online.

August 12, 2011 22:35
Happened to me this week, same exact thing. Maddening.
August 12, 2011 22:35

Sorry to hear about your hassles. This hasn't happened to me yet luckily. While the cloud is the defacto destination for consumer oriented software products today the governance of data in the cloud and lack of security and perimeterization is the reason why large enterprises have not yet adopted cloud computing as the data center architecture of choice. Most enterprise data is still stuck in their own physical data centers in private clouds. Privacy and security are still concerns for large enterprises. This will change of course as more solutions are developed to help migrate old identity and access management tools to the cloud to help bound the perimeters and secure data at rest or on the move. regulatory compliance is also a key driver; the EU is very strict about privacy for instance. But Sun Microsystems got it right a long time ago when they predicted that the network is the computer. The future is about big data in the cloud with better protections around privacy, identity and access rights and streaming services that you can use to get at your data from anywhere using just an Internet connection. Insurance companies will produce products to protect against data loss or theft like they do for banks today. It'll get better over time as the tech matures.
August 12, 2011 22:38
Since I Live in Latin America, I have learned to mistrust every single page, commerce and company in the planet.

Cash Gift Cards all the way (except for steam and amazon, I have no choice in both)
August 12, 2011 22:39
Have you seen this thread on Apple's forum about this?

It's apparently been going on since at least December 2010, and with 590 replies I'm guessing there are thousands of people who have been hacked.
August 12, 2011 22:49
"They know it's a device they've never seen before.
They let it happen anyway."

This is the message you get when you first use a new computer to purchase from iTunes/app store.
August 12, 2011 22:58
For just this reason, I don't ever leave a method of payment tied to my iTunes store account. Its a bit of a hassle when I go to buy something, but it keeps me from having to worry about this kind of thing.
August 12, 2011 22:59
Did you by any chance attend DEFCON?
August 12, 2011 23:00
I would vote with my feet and ditch the Apple Cloud stuff.
August 12, 2011 23:01
my favorite is that you have to go to to reset it... um NO i didn't forget, you F@#$ed up.
August 12, 2011 23:06
Josh Patsey - YES, LOL. That's what I thought too. The sense of, "hey, here's an email about why YOU the customer is WRONG."

Piet - Nope. ;)
August 12, 2011 23:08
Re: a detecion tool. Look at Rootkit Revealer .. if you know Mark Russinovitch / Sysinternals (Microsoft!), it is one of those tools. Best of luck.

Also re: losing access... Tried reaching out to Apple? Maybe with a few of your Web Fame credits to cash in they'll give you a reasonable response :-)
August 12, 2011 23:11
"It's over Johnny. . . OVER!"

It's insane these days what you have to do in order to protect your accounts and money when you're online. I had an iphone for about a year and had so many issues with the app store and itunes, I simply gave up and went to Android. I've had a LOT less problems since switching over. It seems Apple has been complacent in allowing the amount of fraud continue for so long. I'm really shocked they haven't done more to protect their users.

I'd be more likely to return to using Apple products if they made a better commitment to security and did a better job of protecting their users.

August 12, 2011 23:17
Scott, Apple is the most valuable company in the world. You know there are other countries out there right?
August 12, 2011 23:20
It's not just Apple, it can happen with any of your online identities -- eBay, Amazon, you name it. My eBay account was somehow hacked last year and eBay disabled it as they noticed suspicious activity. It took days before it was all settled and my account reactivated.

And no, it doesn't help to have a strong password any more, the whole system is simply wrong. Username/password style of authentication simply doesn't scale in the Cloud era, it's simply outdated. We need to go back to the drawing board and invent something totally new and much harder to crack, with full support for deprovisioning of your online identity at any time and yet practical for daily use. Fingerprint, digital signature, genetic recognition, something on that line.
August 12, 2011 23:22
ben - I just saw the America announcement. When did they become Skynet? Was that this week?

Robert - You nailed it. Auth has to change. I vote for eyes or fingerprints. Stuff I don't have to carry around.

Crash - What's different on Android with regard to payments?

Chris - They have no online presence! No blogger, no twitter, nothing but a support form. :(
August 12, 2011 23:24
This certainly looks like you've been keylogged to me. Try the new "Microsoft Standalone System Sweeper Beta." Creates a bootable anti-trojan iso.
August 12, 2011 23:42
fingerprints and eyes are pretty easily to spoof with the current systems,

I The best solution would be to login with a paswword confirm via phone then confirm via your e-id with code after that the would send you a letter to ask for your autograph which you can fax to a secure number at the whitehouse.

SImple really.
August 12, 2011 23:45
Apple became briefly the first valuable company in the world on Tuesday valuated at 347.3 Billion $, with 76 billions in cash. Exxon got its first place back at the end of the day though. Considering Apple takes around 30% off of all payments, they made 12$ out of your issue ;-)
August 12, 2011 23:47
To those talking about key loggers - that assume Scott is keying in his password (rather than copy/ paste from a password manager).

@Scott - do you type in the password or paste? Curious what password manager you use - as some the "popular" ones have more holes than Swiss cheese. Next, do you use a browser "remember my password" or some other mechanism to make it all easier/ quicker?

Finally - with the "cloud" there are so many attack vectors, with devices like the phones and whether you have the passwords on there, or services like Dropbox (which you use right) and so on, one wrong move can open it up.
August 12, 2011 23:50

I can't tell specifically what's different, but I have yet to have the experience I had on Apple, where I had the same experience you had. On Apple, I used to have mysterious app payments and got a few of those emails before using a limited fund credit card. Even after resetting my passwords, and changing to this type of credit card, it STILL happened. It took several months of diligent follow up emails and calls before I was reimbursed.

I haven't had any issues with the Android app store and mysterious apps getting purchased.

August 12, 2011 23:57
@Scott, Robert: Making biometrics the standard in identification is the worst thing we could do. What happens when someone figures out how to copy your fingerprint/retina pattern/genetic structure? You can't go to and reset your fingerprint!

Scott, sorry you got hacked. I can't say that I would have expected Apple to deny the purchase simply because it was on a device you hadn't used before; usability would suffer too much for the average user (although I can certainly see it being an account option).

It is ridiculous that the only thing they tell you to do if you didn't make the purchase is changes your password and "protect your account". There needs to be a direct link to the dispute process.

As an iPhone user I would be interested in knowing how this happened if you ever figure it out.
August 13, 2011 0:31
@David Nelson: I'd go for two way authentication, combine something you have (e.g. your fingerprint) with something you know (e.g. a password, secret question, whatever). Not 100% secure, but as secure as it gets without being impractical (tokens, SMS, TANs etc.). Since we all have touchscreen devices with cams (or will have them in near future), fingerprint or retina scans lend themselves as an amendment to plain vanilla username/password authentication.
August 13, 2011 0:54
Had to laugh at this:

"I vote for eyes or fingerprints. Stuff I don't have to carry around" - Scott

Where do you put your eyes and fingers when you're travelling?
August 13, 2011 1:14

Make this public, go to the media. One thing I've noticed is that Apple only takes care of the problem when The Guys With The Money, a.k.a. investors, do some gentle (but effective) pressure.

Remember the iPhone 4's antenna, the mac security breach...
They are very good on production and innovation, but very lazy in the maintenance of their flaws.

Ever thought about emailing BBC or CNN about this?
I'm pretty sure they will like it!
August 13, 2011 1:17
You can contact the apple store directory from their website, its changed since I last tried but I think its this

Tell them whats wrong, supply an email address and they will get back to within 24hrs. In my opinion they have some of the best tech support out there.

They seem to bend over backwards to make sure you are happy with the outcome.
August 13, 2011 2:11
This happened to me last August while I was on vacation in Florida. I started getting Paypal charge confirmation emails every 20 seconds to the tune of $2800 in charges that all originated from iTunes purchases I didn't make.

Apple is impossible to reach. Their advise is to email them and wait 24 hours for an email response. Quite useless. Thankfully Paypal was extremely helpful. They told me they had hundreds of similar calls and would suspend my account immediately. They reversed the charges although it took about 10 days to get my money back.

I have since disconnected iTunes from Paypal and therefore my bank account and only use iTunes giftcards. I don't trust Apple at all and it's obvious they could care less what happened to me.
August 13, 2011 2:14
Josh, when some hacker is siphoning $40 from your bank account every 20 seconds a 24 hour email response time is not even close to acceptable.
August 13, 2011 3:49

- What did Apple Support say about it? Did you contact them? Did they not refund?
- Were you able to use your already downloaded apps/music/email/movies in your phone after your ID was disabled?
August 13, 2011 3:54
I created a different kind of password generator app. It's got desktop and mobile versions. You get a different password for every site and all you have to do is remember a phrase and identifier - something easy for a human to remember, but hard for a computer to find.

Check it out here
August 13, 2011 4:08
Apple support has reenabled my account.
August 13, 2011 4:23
I'm not so sure PayPal is safe. I need to write a story about my fraud encounter on eBay that started on 7/26.
August 13, 2011 5:03
Why are two apps blacked out in the screenshot? Cydia, perhaps.
August 13, 2011 5:38
Same thing happened to me a couple of months ago, though with a different app store title. In my case, they purchased $150 worth of "honor points" for some military game (think Farmville but with guns). I still don't know how it happened -- my Apple ID has always had a non-dictionary word for its password, a combination of mixed case, numbers and symbols, and always 8-10 characters or longer. It's a pain to type on the phone, but it's secure (and I often wait til I'm at the computer to buy a title). I don't use open wifi access points.

I never got an email from Apple when it happened. I had to contact them when I discovered my well-funded account (with iTunes gift cards) had been drained. They quickly disabled the account, refunded the charges, had me change the password, etc. So they made me whole... but you don't have to do much work on Google to find a LOT of other people this has happened to.

It's not an isolated problem... Apple might argue that their system is secure (and it may very well be) and there's nothing they could do. But they COULD educate users about the problem and provide guidance on how to avoid it.

In the meantime, I (still) only fund my account using gift cards and recommend to friends and family that they remove their credit cards/paypal from their iTunes account.
August 13, 2011 5:40
Jason - The addresses of my sons' nannycams.
August 13, 2011 5:49
@Scott: "The addresses of my sons' nannycams."

My suspicious mind has failed me again :-)
August 13, 2011 5:52
The problem is your using Apple. There not like Microsoft. Once the security mess with WinXP happened Microsoft got whole team dedicated to security, making sure stuff like this doesn't happen. Apple never had to do this because everyone is dumb enough to think that anything Apple is not hack-able. So Apple is just riding that. Google on the other hand is constantly rolling out security updates and paying for holes found in there stuff. They take security seriously.

Do yourself a favor and sell anything Apple and go Android.
August 13, 2011 5:53
If I were you I would definitely look up Mark Russinovich's number in the company directory and get on the horn with him. If anyone can help you track down the source of the problem, he can. Then tell us cause I am now paranoid.
August 13, 2011 6:58
The bloggers who have simply concluded that your password was guessed are missing the point. Apple's method is to go ahead and approve the purchase, then disable the ID, then tell you about it later.

That seems out of proper sequence.

Besides, if you truly do use a difficult password, and someone can "guess" it (which I suppose means brute force it), then that means Apple is letting someone try what is basically an infinite amount of guesses till they get it, which I still have problems with. This could take years in some cases... especially if your password is very long with lots of good entropy. I make similarly good passwords. but alas, I have never installed iTunes. I don't have an iPod. So I can't compare there.

There is something mysterious going on OR Scott is just making it up that he uses a strong password. I don't think it can be both or neither, can it?

The two bloggers are way too quick to simply dismiss it. When MSFT does something wrong we call it out. I guess when Apple does something wrong we call you the liar or dismiss it.
August 13, 2011 7:03
I think you should reference the recent xkcd comic on password strength:

Especially anyone that thinks 8-10 random characters means much of anything at all.
August 13, 2011 7:12
Using anything other than a credit card is actually less secure because for credit cards, they ask for your 3 digit security code as well. For PayPal or gift cards, you are at the mercy of Apple to get your money back, but credit card companies will restore your money pretty fast. I was actually one of the earlier cases of account hacks where Apple didn't send emails like this or even ask for the 3 digit security code for new devices. They've come a little way in getting the iTunes store more secure, but they could definitely do much more. Unless somebody publicizes this much more than simple Apple support forum whining, it seems they will do as little as possible. What's even worse now with iCloud is that once thieves know your Apple ID and password, they can basically turn an empty device into a clone of your device with all your information, contacts, emails. I noted this to some influential people on Twitter before, but nobody has given it much thought. What I still don't get is how they hacked the account. So far from my conversations with people on various forums, it doesn't seem to be confined to the jailbreak community, simple passwords, or key loggers. I definitely wish Apple would take these hacking issues more seriously. They have yet to acknowledge that such problem exists.
August 13, 2011 8:15
Scott, i'm glad someone with such a wide audience has raised concerns over apple's shortcomings in the app store area. i had a very bad experience, along the same lines, which prompted me to switch from iOS to another smartphone OS. i'd like to share my story, because i feel it relevant to the discussion.

Basically my story is such (it's going to be long, it needs to be to describe fully the situation i was put in):

i used to own and love my iphone, and i'd happily make many purchases in the app store. angry birds had not long been released and after trying the demo i was keen to purchase the full game. i tried and it failed. "ok", i thought to myself, "i must have typed my password incorrectly". so i tried again. and again. and again! i soon realised i was not going to be getting angry birds that day.

so after a simple google search i found apple's password reset functionality online, and attempted to regain control of my account. again i was met with difficulties - none of my details were being accepted as matching any account.

my next thought was to email apple's customer support to get to the source of my issues. by this time i was growing very suspicious, and concluded that my account had been hijacked, and the password had been changed by the assailant. i had no idea how this could have happened: my original password was unique to my itunes account and i had only ever entered it once on my computer when i initially set up the account (upon receiving my iphone) 18 months prior. the password was a 10 characters long alphanumeric non-word (i.e. reasonably strong). So i expressed my concern in an email to customer support, stating i was suspicious of what has happened and that i had tried to reset my password.

when i got a reply, the customer service rep asked me to try resetting my password! as you can imagine this was frustrating, i had already explained i had tried this, so it felt like i got a stock response. crucially, the email did mention that account was registered to some unfamiliar email address - indirect confirmation that it had been hijacked.

i reply to the email expressing my annoyance with the previous communication, and demanded more than a stock response. after sending this, i checked my bank account statement online and spotted a number of itunes purchases made the previous day - after i had initially noticed my account was inaccessible. i quickly send another email informing the representative of this and how imperative it is that action is quickly taken on this.

over 24 hours later and no reply, i was on edge - my bank balance was in the hands of somebody who has forcibly gained control of my itunes account. so i then go back to apple's website, thoroughly irate, and use their contact form to explain that i have not had any follow up on my issue, and that i wished the account be completely locked down to stop any further fraudulent purchases. i also expressed my concern that i was not alerted to any changes of my account details (every single piece of information associated with my account had been - email address, password, security questions - changed) and raised questions around their lax security policies. after all, apple's policy is that you can only link a limited number of computers to a single itunes account. I postulated that common sense dictates that bank account details should have to be re-entered whenever a a new computer is linked to an account - this would instantly stop, or severely inhibit one's ability to commit this kind of fraud.

another 24 hours passed and a different customer services rep gets in touch with me via email. thankfully, this time - 3 days after realising something was amiss with my account - i am informed that my account has been locked down and no purchases could be made until i re-enable the account; if i can prove ownership of the account. as proof, they asked for:
- the last four digits of the credit card used for your iTunes Store account
- the order number of your most recent purchase
- or the name of any item you've purchased using this account

i was astounded to read this! to re-enable my account all i had to supply was information that is viewable when logged into itunes! anyone with access to my account could have very easily attained this information and re-enabled the account. the customer services rep rounded off the email by explaining that the itunes store cannot issue refunds and that i should question my bank over the security of my bank account. the general feeling was that i was being blamed for the breaching of my account and that it was my bank's problem, not theirs.

in my response i made an analogy to help convey how broken their security model was. i explained that linking a new computer to an itunes account (in this case, the new computer being that of the hijacker) is comparable to adding a new delivery address on an e-commerce website, for example's sake, amazon. on amazon, when you add a new delivery address, you cannot instantly start paying for items to be delivered to this address; you must first re-enter all credit card details. this is a final security step that means a hacker must have gained access to both your account details and your credit card details. this security step alone massively limits the likelihood of fraudulent purchases being made from any amazon account. i demanded to know why apple didn't have a similar security measure.

furthermore, i wrote how i was left incredulous that i was not able to contact anyone dealing with account matters by phone. if i could have spoke to someone in person, i could have instantly had my account locked down, instead of waiting 24 hours for every email reply (by now 3 days in total). it is interesting to note that they do provide a phone number for technical issues with itunes. it was astounding that itunes technical support issues were seen to be more deserving of phone support than fraudulent purchases being made via a stolen itunes account. at one point i phoned technical support demanding to speak to someone about my account. i was politely told that account support is not provided over the phone.

during my 3 days of emails with customer support, i decided to take a different tack and email apple's PR department explaining the situation. someone from PR phoned me, leaving an answerphone message telling me i would receive further correspondence shortly. as you may have expected, the further correspondence never materialised. so i email them again, 5 days later (i was giving up hope by now), demanding further explanation.

eventually i get a phone call from a PR person explaining that they will not refund the purchases, and that my bank must refund me. i contact my bank, and the bank also refuses to refund because the security breach is made on apple's end of things. i phone the PR person explaining this, and after much arguing the rep decides they will refund me - in the form of an equivalent amount of money in itunes credit. i was seething!! i could not believe they considered this a satisfactory refund - i was never going to use itunes again after all of this, why would i want itunes credit?!

the next day the customer service rep gets back to me (a week after their last correspondence), apologising for the delay in reply. apparently they'd had "a bit of a backlog". it was comforting to read that my hijacked account was prioritised amongst this backlog such that it takes a week to get a reply! helpfully, the rep also carefully detailed how i could go about re-enabling my account. of course, after this farce, i still had full trust in apple to continue to keep my credit card details secure - the credit card details that they store on their server (hint: sarcasm ;-))

that was the final piece of communication i received. i was left out of pocket, with nobody willing to refund the fraudulent purchases. heck, i was even willing to accept responsibility for the initial fraudulent purchases (despite still not understanding how my password had been stolen), but surely i was not to blame for purchases which were only possible because of the incredibly slow turnaround time on emails from the customer services reps. for these i was sure i should get a full refund (i.e. the money put back in my bank account!)

but alas, it was not to be. to this day i have never received any sort of refund from my bank or apple. personally i felt it would be more appropriate for apple to issue a refund, being as they didn't take due care to protect my credit card details (not that they were directly stolen, but that app store purchasing via my credit card was made capable by apple's security measures). after this whole affair i never re-enabled my account and i never learnt how my account could have been hijacked.

apple also refused to accept that their security measures were lacklustre. these simple measures would make it incredibly difficult (and thus incredibly unattractive) for people to go down the line of making fraudulent purchases on itunes.
+ require all credit card details be re-entered when any new computer is linked to an itunes account
+ offer phone support for issues regarding stolen accounts and fraud
+ whenever any itunes account details (password, email address, security questions are changed) send an email to the customer (or to the customer's previous email address if the email address itself is changed)
+ to re-enable a disabled account, require more than some information that is readily available to the hijacker of an account

TL;DR: apple has crap customer support for issues regarding stolen accounts and fraudulent purchases, apple refuse to accept responsibility for their lax security measures, apple refuse to offer refunds for fraudulent purchases

Hope this has been an interesting read - it took me a long while to type up the tale!
August 13, 2011 9:26
For me when ever I make a purchase from apple, it sends me an email about my purchase. I'm sure you must be checking your emails frequently, you might have got these messages too.
August 13, 2011 9:52
This whole 'Your AppleID has been disabled' thing is why I don't use my iPhone anymore.

EVERY time I attempt to buy, update, or even view the marketplace, my account is disabled, I've changed my password so many times I've given up on the device all together.

Windows Phone 7 is where it's at.
August 13, 2011 10:22
Actually Apple's security is not a new problem I've noticed that a year ago there were lots of iTune gift card for sale at a Chinese equivalent of eBay at a shocking prize like 35 yuan (= 5 usd) for 100 usd in iTunes.

Now that has been fixed, but I guess some new security leak has been found by crackers, maybe just Chinese high school students, as what you bought is a game in Chinese.
August 13, 2011 10:22
To any of you saying to "Go to Android" as a security upgrade... you're joking, right? Love or hate Apple's closed ecosystem, but it's MUCH MUCH MUCH (orders of magnitude) more secure than Android's Wild, Wild, West.

You got your password hacked. You screwed up. Deal with it.
August 13, 2011 10:30
You are absolutely right Tommy. I wouldn't bet Windows Phone 7 is any better.
August 13, 2011 11:21
Something very similar happened to me. I was convinced I was side-jacked or otherwise iTunes had been compromised while i was traveling in Toronto.

In the end, I figured out that I was phished. Even though, like you, I'm very careful and have unique passwords for every service, I did something careless one time which resulted in my account being used in to buy crappy Chinese music, videos and apps. The phishing came at me via a Facebook app that promised to show your iTunes plays on your profile or wall -- can't remember exactly.

Apple was cool about the whole thing, reversed all the charges, and allowed me to de-authorize every device on my account and start over, although, I must say, it was *very* difficult to get started on the whole process. Finding the right contact, getting a response, etc. took well over 2 days.

August 13, 2011 11:21
Tommy - It's totally possible I got my generated high entropy site-specific password hacked. But this post isn't about that, it's about the fragility of our access to the increasing pile of data we store in a smaller and smaller number of centralized cloud services.
August 13, 2011 11:49
It might be the right time for the phone companies to change how they store the credit card information, keep it locally on the phone encrypted of course and give the stored card a simple password to enter on a phone, than if you enter the password wrong more than 3 times, the card is deleted from the phone. of course you will have to enter the simple password when purging anything in the App Stores but this way they could avoid anybody beeing able to purge with your account just by hacking the online account password.
August 13, 2011 12:41
For a while now I have been developing the theory that iOS is perhaps inherently unsafe due to the antiquated software development model of iOS, i.e using Objective C and requiring the developer to manage memory allocations on the machine rather than delegate memory allocations to a managed runtime like the CLR or JVM. This is my laymans understanding of the two programming models so please feel free to correct me if I am wrong.

It is my understanding that this was one of the primary causes of security weaknesses on earlier versions of Windows. The move to developing code in a more managed environment seems to be not only more productive but also more secure since developers are less likely to misallocate memory, which could cause some security loopholes. In some senses therefore delegation of responsibility to a centralised authority, in this case the CLR is perhaps not a bad thing.

Obviously the issues you are experiencing go far beyond OS security loopholes and into the realm of Organisational issues and Customer Experience Management at large. I think you have raised many important and valid points. I hope someone at Apple will appreciate, understand and take action to resolve your issue. If they don't it would seem mad!
August 13, 2011 12:48
I recently got robbed on my way back home after a long night at the university, and had my laptop, my iPhone and my credit card on me; they took everything. It took me only a couple of days to borrow a used laptop and iPhone, but here come the problems:

I couldn't track my iPhone from the police station, since Apple for some reason doesn't enable this feature on a iPhone 3GS, which is just bullshit. So I used Time Machine setup my new laptop. When I tried to setup my new iPhone with a backup, I got the notice that non of the apps were transferred since my Apple ID hasn't been activated on the new laptop. (Notice: the happy news were provided AFTER the lengthy restore process.) After authorizing my new laptop, the restore worked. But I had to wait for my new credit card to arrive before being able to access the App Store since I didn't have my security number. (Which I noticed upon wanting to update some apps.)

In short: the whole user experience about activating computers etc. is designed badly. I need to enter my main Apple ID password every time, even if I want only want to update apps or install a free app. Its a bad thing, since someone only needs to film my screen behind my back and he gets both, my ID and my password. All secure measures seem to make the life of regular users harder without actually preventing fraud.

Luckily, my insurance payed for a new laptop and iPhone.

PS: How and when exactly did your account get disabled and when did you get the notice on your iPhone? You don't seem to have mentioned it inside your article.
August 13, 2011 13:15
@Tommy - You're an idiot. Look at the Apple Forums for disabled AppleID's, people have their accounts disabled on a daily basis over and over and over for NO reason at all. Including myself.

I have 10 app's total, no random purchases, i activate my ID, leave my phone turned off for a MONTH. Turn it on, update the apps, OH SHIT LOOK, MY ID IS DISABLED AGAIN.

Apple's system is as retarded as Microsofts LiveID implementation that prevents me from being a Windows Phone 7 Developer without creating yet another Live ID account, to go with the other 4 I already have.
August 13, 2011 13:22
Let's do keep it civil, please.
August 13, 2011 13:48
All the randomness, as a developer this makes me think about a serious bug in Apple's purchase system. It can be some sort of a timing and / or synchronization problem, like something shares state with different sessions (e.g. by using a static field to store request data with your Apple ID). So if you're connected to the server and your device sends a request right after someone bought something, your Apple ID may be used for that previous transaction. The purchase itself is probably done in parallel, so you can have your App downloaded before the actual bookings are done. And if the bookings are done, there is also some sort of verification that leads to your account being disabled.

My gut tells me: Not a hack, but a serious bug. I've seen such bugs.
August 13, 2011 14:53
Also have been following your tweets about this blog post (how meta is that). I do agree that I even missed the point somewhat. I get now that your larger point was: "When you put your data in the Cloud (which is what you do when you purchase things on an iPhone), you put all of that at risk over one password."

Originally I thought your thesis was: "There's a few problems with how Apple is doing things. One is how the heck did anyone purchase something as me and the other is why would Apple do things in this insecure order (sell app, disable id, notify you)."

So yes, I "missed" the point as well. But your clarified thesis does apply to anyone and anything. The more you start using that Live ID and get a Gamertag and Gold account and a WP7 and use SkyDrive and so on and so on... everything is wrapped up in that one ID. As as we've seen recently in the news, you had BETTER have both a great password AND you have to wonder how seriously your vendors are working to protect it.
August 13, 2011 16:22
You may be familiar with the cloud, as it's where all your valuable stuff is.

Not quite. I am, indeed, familiar with the cloud, which is why all my valuable stuff is on my own PC, backed up to a pair of offline external HDDs. And that is where it's going to remain. As far as I'm concerned the cloud is severely affected by Emperor's New Clothes Syndrome, and I want nothing to do with it.
August 13, 2011 16:53
Exactly this happened with me a few months back (my password was never shared and was/is quite strong per se), I contacted apple and they reverted my purchase and credit, they told this is the first and the last time they are doing it. When I searched the intrawebs I found lot of such cases and some even mentioned that APPL servers/security is compromised. Its quite weird that in our case the same app was purchased n times, apple does not allow me to re-purchase the already purchased item so something somewhere is broken on Apple's side
August 13, 2011 20:05
Servers and browsers support two-way certificate authentication. As consumers we need to demand that more sites require it, and get our own individual certificates to use; these can be associated with biometrics quite easily. But we have to come together and demand it. Credit Card companies should be on the bandwagon as part of PCI compliance.
August 13, 2011 23:29
Chris - Exactly. You nailed it with this:
As as we've seen recently in the news, you had BETTER have both a great password AND you have to wonder how seriously your vendors are working to protect it.
August 14, 2011 0:36

Scott I think I know the solution of ypur problem: What was the password you where using sir?
August 14, 2011 2:13
I do not think they had complete access at your accout as they could have changed the password.

I would also try to contact the company that got the in app purchases ( Pearl in Palm) and ask them if they have any further evidence sending the detail of the fraudolent purchases.: may be you can get something like the ip address, name etc of the client iphone that at that time connected to their game server (I know, difficult but...)

As a general rule for security I have sms notifications for every use of my credit card.
As authentication I find the two way (pass + changing token on device) secure enough. Google is implementig that and I enabled it and every time I connect on a new device it ask the verification code.
August 14, 2011 3:14
I haven't had any real unauthorized purchases, but I am constantly warned that free apps or free updates have been purchased "on a computer or device that had not previously been associated with that Apple ID."

These warnings are always for a free app that I actually do have. I don't think Apple is able to accurately keep track of the devices (our family has several). And iTunes keeps making me re-enter the 3-digit "security" code for my credit card, even to download free stuff. I usually end up just removing my credit card information entirely and re-entering it when I want to make a purchase.

When I was investigating this, Apple was unable to tell me anything about the device that was supposedly used to purchase these free apps. IP address? Nope. Name of the iOS device? Nope. Serial number? Nope. I was hoping they could, because I strongly suspected that it really was one of my devices and not a new, unknown device.

According to Apple:

"[...] when a new device is added iTunes create a separate identity number for the device. This is an auto generated number and do not store any details on the device, this is just to indicate that a new device was added. This is why I am unable determine anything about the details of the device used."

I'd like to have the option to "officially" register my devices, associate them with my account, and prevent other devices from accessing my account at all. Or at least have it log the details about the device used to make any purchases.
August 14, 2011 3:44
Good grief! It happened again!

Your Apple ID, [removed], was just used to purchase 123D Sculpt from the App Store on a computer or device that had not previously been associated with that Apple ID.

I just downloaded 123D Sculpt on my PC using iTunes, the same "device" that I've used to access the iTunes store about a billion times. Like I suspected, their method of keeping track of your devices simply doesn't work.
August 14, 2011 4:24
I recently had my iTunes store account hacked as well and a gift card balance drained from the account.

Here's what I've figured out/learned:

1) You are apparently safer using a credit card in iTunes because Apple removes that information from the account when someone attempts to access the account from an unknown device. It's not the hacker/thief changing your information and deleting your credit card, it's Apple. However, Paypal and Gift Cards are left attached to the account. This is what the hackers are draining.

2) Almost everyone who's had their account hacked has had a download of a Chinese app by one of a select few vendors. The app downloaded from my account was Lakoo's Empire Online. The app is free, but the in-app purchases drain the balance.

3) Strangely, there's at least one iTunes user who's had the problem and downloaded an app that was bought on his hacked account and then used to make to in-app purchases. He wanted to see what was going on. Strangely, he could find no way to make purchases thru the app.

4) There are several Apple Support Discussion threads about the problem, including one ( that is currently 40 pages long and started in November 2010. Apple has made no official reply and sends out the same form response to each inquiry about that problem.

So far, I've had many people who've had the problem tell me that with a gift card balance, that they now create a Wishlist that totals the full amount of their gift card, then apply the card and spend it all at once, rather than leave it in their account.
August 14, 2011 18:37
Is this an Apple only problem? No, it's an inherent weakness of the cloud and the internet in general.

Do Apple's various cloud services suffer from massive security holes? Unknown, but it's at least as likely (being generous to you here) that the breach occurred on your end. However, we do and we should expect more from Apple in getting this problem ironed out. The request that you reset your password is actually the best first step that YOU can take and Apple was right in suggesting it. It might resolve the issue at best, and at worst will help troubleshoot the issue.

I think your most valid complaint is that Apple needs to make it easier to resolve the problem. Like many other online services, the Apple's process is arcane.

Apple does need to take security more seriously, even if the original problem is not on their end. The safeguards they have in place, while good fwiw, are not good enough or clear enough. It's especially troubling that PayPal seems to be the weak link. I hope that Apple doesn't do that buck passing dance and merely blame PayPal, but takes ownership of the problem. Both vendors need to work together or they will both suffer, not to mention that the client is suffering.

I suspect you got phished via a PayPal purchase or you've got malware on your PC. Your anti-malware software is only as good as its updated signatures.

Repeating for emphasis: This is not an Apple only problem, but Apple needs to step up their game. Their reputation for "it just works" must extend to security, whether in helping to prevent exploits, or that reputation is going to suffer. A lot of these schemes are exploiting the seams of the cloud, where services from different companies meet. In this case, Apple and PayPal could potentially point fingers at each other, leaving us all vulnerable. Or they could both do the right thing and work together. If one or the other refuses responsibilty, then the other needs to bite the bullet and take full responsibility. That one, in this case, should be Apple.

I don't think this contradicts your main points, but a few of your commenters seem to totally miss this and see this as an exercise in Apple bashing.
August 14, 2011 19:58
One thing that hasn't been pointed out that you might consider Scott is that you should get a new phone and mobile hotspot. GSM is a notoriously insecure cellular protocol. Your data could just have easily been picked up off the cellular network as it could have been off your device or hotspot.

A quick google of "GSM security issues" will bring you a plethora of information, including a link to a presentation given at the recently held Black Hat Conference on how easy it is to intercept GSM based cellular data. If you are security conscious, I would recommend getting away from GSM.
August 15, 2011 0:18
Scott, do you've a jail broken phone?
I was thinking about the possibility of a Cydia tweak or other apps not approved by apple to make purchases with my account or use a method similar to phising.
August 15, 2011 3:25
My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy.

This reminds me the recent xkcd comic about strong passwords
August 15, 2011 3:50
Sounds like you are whining about the very email that allowed you to detect the issue after you did something wrong to get hacked. As much as I hate apple, I think this is your fault.
August 15, 2011 18:50
I will admit that I have never really cared for Apple.

Without some forensic investigation of the apparently multiple exploited accounts to look at the commonalities, there really is no way to determine what the situation is. It could be an exploit in iTunes, the methods that the victims used, the OSs in place...

Or, maybe their cloud has been seeded to cause some rain (aka, they got bugs)
August 15, 2011 19:52
Hi Scott,

what is the HanselMail app on your IPhone? ;-)
August 15, 2011 20:16
Hey Scott,

My experiences with Droid/Google are still pretty short - about 1 year now. Both my wife and I had "suspicious" activity on our email accounts (about 4 weeks apart from each other) and Google just switched them off. Had to do the song and dance of resetting passwords to get them back on. I have also discovered that people are targeting mobile apps with Trojans, viruses, etc. I now run Lookout on my Droid. Past that, my trust level is much closer to ZERO with cloud/mobile/passwords/etc. I don't have an answer and most of the things I have seen on Cloud Security are from a software perspective. Think about it on a hardware level some time...
August 15, 2011 22:56
So, given your current experience, how do you now feel about "cloud computing" and storing information outside of your own control?
August 15, 2011 22:57
And how should that dictate the thoughts of "companies" doing the same?
August 16, 2011 3:25
God bless Ron Graves! :D

He's the one above who said, "As far as I'm concerned the cloud is severely affected by Emperor's New Clothes Syndrome, and I want nothing to do with it."
August 16, 2011 4:42
FYI: Amazon does risk analysis.

I was at a friend house, and he ask me to buy something from Amazon and send it to his brother's home. Since I was on the iPhone I tried to made the purchase just there. But Amazon don't let me do it because I was on a device never used before to buy (I usually made my purchases from my PC) and sending to an address never user before.

Little annoying at the time, but I least I know that I was covered by Amazon
August 16, 2011 17:24
Fortunately I've never had this issue. Maybe because I make it a point to delete my CC info every time I buy something from an online service. Sure it's less convenient but then no one can just buy stuff using my card, unless they stole it through some other channel.
August 16, 2011 19:01
I had a similar issue with iTunes Mexico. One day I received an invoice of a lot of music bought using a gift card I had registered in itunes before; I guess my account was hijacked, but I never got a response from apple.

Apparently iTunes is not very secure.
August 17, 2011 19:09
This happened to me today too. My accounts with crazy strong long, random passwords keep getting hacked. My PCs are always fully patched, virus scans show no keyloggers, no viruses, and no weird processes running in the background.

I'm stumped but this seems to keep happening over and over again with increasing frequency. I'm at the point where I'm about ready to cut up all my credit cards and say goodbye to the bold digital future. It's getting ridiculous.
September 10, 2011 18:51
You will notice there was a rash of reports last year about itunes accounts being "stolen",

and then you will notice a rash of reports the year before, and the year before that and a year before that...

this happens daily, probably 30 accounts are "stolen" daily...

however that is not what is really going on. the 30 accounts are stolen, but they are sold into a black market in china, that will resale those maybe even a year later.

it is not iTunes that is being hacked, it actually is the PC that is hacked.... it does not matter how strong your password is, when you have a virus/keylogger just simply taking all that info and sending it off to a server in China.

and the reason people can not figure out what is going on, is for two reasons, your personal information was stolen A YEAR AGO...... and 2. Virus checkers on PC's are worthless, unless you like to catch old viruses... they do not show you the new Virus or keylogger going around... which isn't the point, because your ID WAS STOLEN A YEAR AGO anyway.... maybe even two years ago... then sold into a black market,

where people buy your id months or years later.....

do some Googling, and you will find that people can buy stolen id's (in china) for something like $3, (the bidding varies) and they are advised to do all their buying with the stolen id in the next 24 hours... (which is good advice, since apple used to not check every hour for weird purchases)....

what you do to prevent this? BUY A MAC. that will eliminate 99% of the problem, for the other 1%, simply be smarter than average PC user and don't download questionable content from some website or email....

then you will be virus free/malware free...

again, this is a fact, it is not a iTunes being hacked... it is the personal Computer being hacked.... every single year, people first thing out of their mouth is my iTunes account was hacked... wrong... second thing out of their mouth, apple iTunes is hacked.... wrong....

it is your PC, worse it was your PC from a year ago....... have fun tracking that down.....
September 10, 2011 19:04
what is particularly funny about "virus scans" is about 50% of them, ARE THE MALWARE THEMSELVES...

and if they are legit, YOU STILL ARE GOING TO BE SCREWED someday, because every single year, a legit anti-Virus software package accidentally destroys the persons data that it was supposed to protect, through one of their constant updates to that software that had a bug in it...

Phishing of your information is a good source of stolen ID's too.. and you always here the person later... "but I don't know what went wrong"?? i didn't get a virus? I checked my computer?

the thing is your Phishing episode was done months ago.... your virus/keylogger was installed months ago, took your information, then deleted itself....

yes, it is a huge problem. (for PC users) Companies can do very very little for people who just give their passwords away.... block the bad app now, and a new app pops up... block purchases from IP addresses, and new ones appear, block from new devices, and have a logistic nightmare on your hands...
September 13, 2011 8:30
this same thing happened to me. but it was 3 purchases. almost 150$ total and same mo from china. and i had a rock solid password.
October 14, 2011 2:34
Any password complexity won't help, as long as a key logger is running on your iTunes hosting computer and catching every password change you perform.

I doubt that your iphone/ipad has been hackend, but most probably your PC/Mac might be controlled by a Trojan, if your passwords seems to reveal to persons you dont know at places you haven't been, buying stuff you haven't ordered.

Lots of other people having the same problem doesn't need to mean Apple is bad, but could also mean that other people have infected PCs aswell. Trojans are there to spread spam, steal computing power and especially take your CC numbers and passwords and make em to money.

You might want to run a clean installation of you iTunes host.....
And avoid using admin accounts for surfing the web.
And another good choice is to run a virtualized OS installation for iTunes that you don't use for surfing the web.

December 21, 2011 5:33
sites like keep selling credits points on those wich are bought with hacked itunes accounts... sites like this should be banned!!
February 26, 2012 8:11
i am 12 and i get pissed off when the only people who know my password are my dad, mom brother (no he does not steal) and me. and when it says " your apple id has been disabled for security reasons" and it makes me do a new password that is so long that i know i will freaking forget and i have been on apple customer for 7 years and now it says this. can you please hellp me!
February 27, 2012 4:03
Hey Scott

The same thing has happened to me recently, cant get blinking iphone to stop saying


friends are all smug laughing at me with their HTC windows devices....:-(

Helen uk
April 20, 2012 23:15
Scott, this just happened to me twice this morning. Even AFTER I changed my Apple ID, PayPal, and email passwords. Thankfully my boyfriend remembered reading about a similar issue in your blog post, so now I feel better that I'm not the only one. At least I'm not going crazy. *sigh*

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.