Chinese auction site sells thousands of stolen iTunes accounts

Filed Under: Apple, Phishing

iTunes and Taobao50,000 stolen iTunes accounts linked to stolen credit cards are being sold on a Chinese auction site, according to a report from the BBC.

Listings on TaoBao, the Chinese equivalent of eBay, are promising access to iTunes downloads for between 1 yuan ($0.15) and 200 yuan ($30).

However, customers are advised that they are likely to only have about 12 hours to download apps, movies, games and music from the online store before their accounts are suspended.

A reporter with the Global Times, who discovered the activity on Taobao, paid $5 for an iTunes username and password. When accessing the account they found that it contained credit card details and the address of a user based in the United States.

What isn't entirely clear is whether fraudulent accounts have been set up with stolen credit card details, or whether these are existing iTunes accounts that have been seized by cybercriminals - perhaps after login details have been stolen through phishing attacks.

Certainly it's not the first time that users have experienced problems with their iTunes accounts. Last year, many iTunes users reported that they had received unauthorised charges of up to $1000 after an apparent security breach.

Regardless of precisely how the cybercriminals selling access to the iTunes accounts managed to gain control over them, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Furthermore, just as with your bank account - you should keep a close eye on your account and the purchases linked to it to see if there is any unusual behaviour.

And even if this assault on users' accounts wasn't the result of a phishing campaign, always be on the lookout for fraudulent emails and websites which try and steal your login details. The phishers aren't just after your banking details - they can make money out of other online accounts too.

, , , , ,

You might like

3 Responses to Chinese auction site sells thousands of stolen iTunes accounts

  1. This happened to me, to the tune of over $800 (which have since been returned to me via my credit card company). My fault--a very insecure password, which I used in lots of places....and since I have a email address, it identifies me as a mac user. Apple, by the way, sets us up for this attack for not allowing owners of .Me/.Mac accounts to change their username--which is also their Apple ID. So, the password security is crucial. iTunes asks for a credit card #--which most people enter thinking it's totally safe. Once in to iTunes, there's lots of really costly stuff there--some iPad/iPod games are $30-40. I now only use iTunes gift cards, and keep the amount of money on the account very low, or choose "no credit card on file" as my payment option.

    The scammers make many purchases that are less than $50...they keep them just under the amount that might trigger scrutiny. Fortunately for me, I checked my email right before going to bed, and discovered the charges which were still coming through. I immediately went to iTunes and changed my password. I also called my credit card company and they immediately canceled the card--a HUGE PITA on many levels. They also went through the fraud process with me, and I can't say enough about that service. I do know (google iTunes fraud) that others have not been as fortunate as I in getting this resolved. Contacting Apple was harder...there was no way to get to them until the next day. It took at least 3 days before I heard back from them. Very frustrating.

    Do google "iTunes fraud" and start reading. Some people lost several thousand dollars. Apple's reaction, across the board, was "we don't really care, contact your credit card company."

    I think that iTunes security may be improving, since I've had a couple times recently where my account had to be reset due to too many invalid password attempts. (Good luck with that, thieves, you won't be getting this one!)

    Anyway, thanks for shining a spotlight on this. Too many folks probably don't realize they are at risk there.

    • Yes you are at fault for using poor account/password management. However, Apple is also clearly at fault for allowing weak passwords on accounts that are tied to PII and financial information. If Apple required passwords with a minimum of 8 characters and special characters this would likely be much less of a problem. However, requiring strong passwords does not appeal to the Apple's core market -- the uninformed who believe because they have a Mac they are immune to these types of issues.

      Your experience with Apple's customer service is not surprising given that is run by an arrogant egomaniac who believes that the only reason to ever provide good customer service is when a problem has gone viral and is becoming a PR headache.

  2. Shaggy · 1544 days ago

    I think it is Apple Company that should have better security ok.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley