My Hijacked Apple ID … continued …

Posted on Posted in Apple, Issues, News

I have been an Apple user/evangelist (current translation: fanboy) since I bought my first Mac Plus sometime in 1986. I purchased that little beige wonder to use in my recording studio in Asbury Park, NJ. I always thought Apple was bulletproof. They could do no wrong, and always cared about the experience of the Mac user.

Do I still feel that way? I’d be a blind zealot if I said yes. There have always been questionable calls on Apple’s part throughout the years. But at some point Apple stepped up to the plate, took responsibility and made things right. No matter what the cost. Financial or otherwise. It seems this concept gets harder and harder for Apple. For whatever reason.

It started June 25th with my post “Apple Developer {dis} Connection or … How My Apple ID Was Hijacked“. I explained how my Apple ID was hijacked by someone, after I logged into the Apple Developers Connection website. The hijacker took over my Apple ID by changing the username and password. Then they ever so kindly logged into my iTunes account and charged two $50.00 iTunes cards to my my attached debit card. For all the gory details I suggest reading the original post and coming back. It’s quite long and has several updates.

It’s almost a month later, and I finally heard back from Apple Developers Connection, Apple Inc and the Attorney General’s Office of Washington state. The Apple’s Developer Connection eMailed me yesterday July 22nd. After nearly a month this is what they had to say:

Subject: Re: Website Inquiries/Feedback
From: devprograms@apple.com
Date: July 22, 2009 10:30:37 AM PDT
To: ejo@go2jo.com

Follow-up: xxxxxxxxx

Re: Website Inquiries/Feedback

Hello Joe,

Thank you for contacting the Apple Developer Connection.

We are currently reviewing your inquiry and will get back to you very soon. We appreciate your patience.

Best regards,

Michele Owens
Apple Developer Connection
Worldwide Developer Relations

That’s it? A month to tell me they are looking at my inquiry? Now I don’t want to seem like a whiny whiny boy man. (I’ve already been accused of this in a comment on the original post. Which of course I deleted. My blog. My prerogative.) But … a month for an eMail telling me they are reviewing my inquiry? No results yet? Okay. I’ll give the the benefit of the doubt. Tap tap tap. Waiting waiting waiting.

On the same day I got this eMail from the AGO’s office.

Joseph Streno
13303 15th AVE NE
Seattle, WA 98125

RE:    Apple Computer
File #:    xxxxxxx

Dear Joseph Streno:

Our office has received the attached written response from Apple Computer.  Although they have offered to make a partial adjustment, they decline to make full adjustment of your complaint for the reasons outlined.

We realize you may disagree with their position. However, our office does not have the authority under the law to force the parties to resolve their dispute. We regret that we are unable to provide further assistance to you in this situation.

We do not have the legal authority to represent individuals as their attorney, nor may we act as a judge or arbiter in individual disputes.  If you wish to pursue the matter, you should consider either contacting an attorney or suing in Small Claims Court. You can obtain additional information about Small Claims court at:

<<<http://www.courts.wa.gov/newsinfo/resources/?altMenu=smal&fa=newsinfo_jury.scc>>>

For referrals to attorneys in King County:    206-623-2551 or 211

If you cannot afford an attorney, you may qualify for assistance from the NW Justice Project’s CLEAR Coordinated Legal Advice.  They may be reached Toll Free at 1-888-201-1014 or online at the following website:

<<http://www.nwjustice.org/about_njp/clear.html>>

In addition, if you are 60 or over, you may call CLEAR SR. at 1-888-387-7111 regardless of income.

You may also wish to contact the Dispute Resolution Center nearest you to see if they can assist in mediating your dispute.  You can obtain additional information at these websites:

<<<http://www.courts.wa.gov/court_dir/?fa=court_dir.dispute>>>

<<<http://www.resolutionwa.org/>>>.

Please be aware that the Dispute Resolution Centers do not provide attorney referrals or legal advice.

We appreciate your bringing this matter to our attention.  Your complaint will remain a part of our public record of this firm’s business practices.

DAVID FERRIS
Complaint Analyst
Consumer Protection Division

This was the fax sent to the AGO from Apple:

Apple Fax to the AGO

To which I responded back to the AGO’s office:

Subject: Re: xxxxx : A notice from the Washington State Attorney General’s Office
From: ejo@go2jo.com
Date: July 22, 2009 1:43:37 PM PDT
To: xxxxx@atg.wa.gov

Dear Mr McKenna …

Thank you for being so prompt. I did get the attached PDF of Apple’s response.

Of course Apple skirted their own security issue(s) with the iTunes Store and The Apple Developers Connection website. My identity was “stolen” because of the ease one can change a password for an Apple ID.

They have outright avoided answering the question put before them. How did someone get access to my iTunes account? How, and at what time was the Apple ID changed? And in what manner was it changed, via a phone call, eMail, or the Apple website form?

The hijacker did not steal my identity to use my debit card, but stole my Apple ID and was able to log into iTunes which had my debit card attached to make purchases. There is a huge difference. And puts the onus on Apple to answer how that happened, not the credit card company. My iTunes account could have had ANY card attached to it, the responsibility is Apple’s because someone was able to hijack my Apple ID and log into iTunes at all. Without that step none of this would have happened.

That and only that is the issue! How did that happen? Apple has not answered that question at all.

I wasn’t concerned with getting the charges credited back. They were. The debit card was canceled and a new one issued. I was more concerned that no one has legally called Apple’s security issues to task. Apple’s “Apple ID” is the only way to log into ANY of Apple’s (supposedly) secure websites, or any of their electronic stores (to make a purchase.)

If this type of thing does not fall under the purvey of the AGO, I guess it’s time to try to start a class action suit against Apple.

If you have any further comments please send them along.

Thank you for all your help.

Joe Streno

And that pretty much says it all. Apple won’t admit there is a problem with their security in respect to changing a password for their Apple ID. This one item, the Apple ID is used to sign into any Apple related website, and to purchase anything on the iTunes and Apple Store. Apple could solve the entire issue by devising another more secure way to change a password and gain access to another person’s account. It’s a problem that has gone on for years, yet Apple turns a (not so) blind eye and let’s the problem continue. The other piece of the unsolved puzzle is … are there hackers out there that are intercepting an Apple ID as one is logging into a Developers Connection account? Or is it when someone is joining an Apple website for the first time. All unanswered questions seemingly unimportant to Apple.

So Apple …. is Apple ID security bulletproof? I think not! So the question remains … what to do next. I’ll wait to see what Apple reports back.

12 thoughts on “My Hijacked Apple ID … continued …

  1. Yes, same thing just happened to me. My Apple ID vanished and so did my credit. The Apple store where I had recently bought my Ipad said they could do nothing but show me how to contact Apple re the problem so it remains to be seen what, if anything, will be done. Fortunately I’m still within the 14 days return period so if I hear nothing from Apple, I’ll be returning the Ipad and getting my cash back.

  2. My Iphone is also my alarm clock. In the early morning hours of July 28th, I was awakened by the “new email” beep that the phone makes. Strange I thought, who is emailing me at this hour. I grab the phone and open the email and there staring me in the face is a $50 receipt for an Itunes gift card! I jump out of bed and go to the itunes purchase record which took a couple of minutes and sure enough, there was the purchase along with the authorization code to cash in the $50. When I tried to cash the certificate I was informed that it had already been cashed in! I immediatly removed my credit card info from the itunes account but as of today my (bank) account shows that there were two purchases. I sent an email to Apple but have yet to hear a peep. I am going to my bank first thing Monday morning. After reading this forum I am in grave doubt of ever buying an app or song from apple again, or at least until I know my data is safe. I live alone and NO ONE has access to my account. Apple, are you reading this forum?

  3. Finally after a week, Apple has given me back the account. I changed the password to something awful hard. I change the security question to something impossible. I also de-authorized all computers since 5 didn’t sound right to me either. Turns out the hacker left me ‘owing’ money to apple. I’ve asked apple to remove all the fraudulent charges and restore my $20 store credit. Hopefully they atleast zero out the balance owing. You’re right about selling the crap Joe… maybe I’ll just install windows on it! ;)

  4. When I called the bank, sure enough iTunes charges had just cleared… be careful people! Card cancelled and I’m contesting the charges. I will attempt to contact apple again, however they dont’ seem to be listening.

    1. Sadly, Apple won’t do much. Your bank is the best place to get monetary satisfaction. When you call Apple they will want you to kill the compromised account & create another. I said no, because I have years of hardware & software tied to that Apple ID. I just opted to create a more challenging password, and a question that NO ONE would ever be able to figure out by Googling me, or reading my blogs.
      Sadly Apple doesn’t see this a breech of their security. Like in any other situation, it’s up to the user to make their online accounts secure as can be. It’s not that I’m sticking up for Apple … it’s just the nature of doing business in an all too connected world, where information is easily had.
      Selling all you Apple gear, does nothing except punish you. The only way to “fix” this issue is by a class action suit. That will get Apple’s attention. But I don’t know that I have the energy for that today. ; )

  5. My itunes account just seemed to vanish two days ago. No response from apple, and no charges on my visa yet.. but I’m going to report it stolen now rather than wait and see. Apple sucks, I didn’t get any warning either that my apple ID was changing. Most sites will send you an email saying ‘you’re attempting to change your name/email address! Click here if you did not request this’ …. Pathetic. I’m selling all my apple gear and going back to my Windows PC. F-this.

  6. This just happened to me too. My credit card was used for non-Apple purchases too (which was actually helpful in alerting me to the issue). Apple has been so unhelpful. And as to the music and apps that I bought using that old account–as far as Apple is concerned, they belong to the thief. I’m planning to try and resolve this with Apple but I hold out very little hope.

    1. Jill … Sadly the only satisfaction you will get out of Apple is the refunding of anything bought by the hijacker.hey will also want you to cancel that account and start a new one. Which frankly will do nothing. They will never take responsibility for their lack of security It’s sad.

  7. My iTunes account was hacked a week ago.
    $62 in credit gone. Used on Chinese apps.
    They changed my user id, password, email, and security question.
    Apples response?
    “Not their problem.”
    So their non existant security on an on-line system responsible for customer financial information is hacked daily, but it’s not their problem.
    No alert, no email notifying me of the changes, nothing.
    And it took me over an hour to finally get hold of someone on the phone.
    Unacceptable!
    I’m not posting this rant to complain, only to warn as many people as possible.
    Apple security is horrible and you will be ripped off eventually.
    I know you’re only liable for $50 on your credit card, but is $50 really a small amount of money to most people? What about the time, effort, and pain to rectify this situation?
    And is Apple really not liable for all of these thefts? It is their system. They do have some responsibility to safeguard our accounts, dont they?
    I’m writing to my Senator and Congressman to see if something can be done.
    At the very least, people should be made aware of how risky it is to have an iTunes account.
    I for one am using Amazon for my ibooks and looking into jailbreaking as a way to protect my account and identity.

  8. How is the follow up from Apple? It’s amazing that you even got a reply from Apple. When my friend had this happen to her she got no response from Apple. Nothing. Her bank credited her for the iTunes charges. No problem. Apple did nothing. It’s pretty scary that something like this can happen; more often than is thought, it seems.

    1. From what I had heard from others, I wasn’t expecting anything from Apple. But I have a feeling because I reported this to the Attorney General’s Office of Washington, Apple kind of had to reply to me.

      My biggest surprise is that this is still going on and not a single one of the Mac magazines has reported a single word on this ongoing breech of security.

      The day I upgraded to iTunes v9.0 & I “Unauthorized All Computers” because iTunes said I had 5 authorized computers, which seemed odd. And someone again tried to get into my Apple ID account. Probably the guy who got the 2 gift cards. I know because I got an eMail from Apple about “too many attempts to guess the answer to my ‘secret’ question.” I was livid! But I was also vindicated … because the thief could no longer play the music they “stole.”

      I really couldn’t do anything. Apple wouldn’t care.

      Other than that … nothing new.

Leave a Reply

Your email address will not be published. Required fields are marked *