Reports of 'App Store Hacked' Greatly Exaggerated

[EagerDragon]

Likely there is no hack

Likely people's PC were compromized and not iTunes. Happens everyday, all passwords and all account information in the PC's and even Macs then become the property of the hacker.

Using a discovered account and a discovered password, to login into iTunes and buy music or software IS NOT A HACK!!!!!

The hack is on the workstation to discover the credentials.

If I give you a stack of credit cards and their associated PIN and you extract money from those accounts by using a regular ATM system by swiping the crards and entering the pins like millions of people do every days, ARE YOU HACKING?

A Hack is a trick, is dealing with a weakness of a system, is misusing a system functionality to make it do something it was not designed to do.

If you have obtain a list of accounts and a list of passwords and you use it with iTunes you are not HACKING. You are stealing but not HACKING.

Will people ever get the facts before yelling that the sky is falling?

People in the Internet gets their credentials stolen every day, and they are mostly stolen from their PC because they were infected by a trojan or a keylogger. That does not mean that the systems where those credentials can be used have been hacked!!! Those systems are working as normal and reacting to a good set of credentials regardless of how they were obtained.

People!

 

[EagerDragon]

I'd better change my password. I guess "password" isn't considered secure

so do you think i should change mine? its 123456... maybe i should go with 654321?

In that case I would not bother, they already have your credit card at its limit and can no longer chanrge anything then. So don't bother, it been guessed already.

 

[SBlue1]

Likely people's PC were compromized and not iTunes. Happens everyday, all passwords and all account information in the PC's and even Macs then become the property of the hacker.

Using a discovered account and a discovered password, to login into iTunes and buy music or software IS NOT A HACK!!!!!

The hack is on the workstation to discover the credentials.

If I give you a stack of credit cards and their associated PIN and you extract money from those accounts by using a regular ATM system by swiping the crards and entering the pins like millions of people do every days, ARE YOU HACKING?

A Hack is a trick, is dealing with a weakness of a system, is misusing a system functionality to make it do something it was not designed to do.

If you have obtain a list of accounts and a list of passwords and you use it with iTunes you are not HACKING. You are stealing but not HACKING.

Will people ever get the facts before yelling that the sky is falling?

People in the Internet gets their credentials stolen every day, and they are mostly stolen from their PC because they were infected by a trojan or a keylogger. That does not mean that the systems where those credentials can be used have been hacked!!! Those systems are working as normal and reacting to a good set of credentials regardless of how they were obtained.

People!

so how comes they just use the itunes accounts to buy music? how comes they dont use the cc-numbers to shop amazon or ebay??

do you read the other posts at all??? these people are not stupid....

 

[Don Kosak]

From the screenshot, these are the bootlegs of the wildly popular Detective Conan, and Dragon Ball comics (manga).

It wouldn't surprise me if the sales were legitimate -- and if you have teenagers you wouldn't be surprised either.

 

[TacticalSS]

I got hit with over $1,400 worth of charges... still not resolved... gotta love the holiday weekend.

 

[mdriftmeyer]

A single entity or developer effectively took over an entire section of the App Store for the past two weeks by using an army of zombie or hijacked accounts. Apple apparently didn't notice, or take action, until a fuss was raised. I think that was the story here, not a question of whether or not the entire store's accounts database was compromised, though that's a nice scare to raise attention on thenextweb's part.

They didn't notice because the top position was drawing a few hundred ratings versus tens of thousands.

Now, they'll tighten that end up.

 

[VenusianSky]

so do you think i should change mine? its 123456... maybe i should go with 654321?

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

 

[doctor-don]

I'd better change my password. I guess "password" isn't considered secure

Then try "12345678" or use

"1234567890ABCDEFGHIJ" since 20 characters is more secure than 8.

 

[EagerDragon]

I doubt that, why would websites recommend long passwords if they're just as inefficient as shorter ones as you claim ? In that case, who cares about long passwords ?
That simply isn't true. I'm no expert of course, but I know that with 20 characters, there are quadrillions of combinations (I don't make the maths, I'll let you do it if it bothers you), making it impossible to crack, even for a machine and a life time isn't enough to crack it, and even if it was, finding another way to enter would take less time than find it.

Length is much more secure than "complexity" (adding $ and otehr &, %) onto a short password, it's good, but not enough and won't be as efficient than using normal alphabet, random at best, with a 20+ long password.

Your are correct that the longer the password the harder it is to crack, specially if made from leters upper, lower, numbers and special characters.

However a trojan is a program that runs in your computer and can possibly steal you nice long password. That is why the other poster said it did not matter the length, a trojan can steal it regardless of how long it is. Programs like 1Password, encrypt the passwords so they can not be easily stolen as an encrypted password is meaningless unless you know the secret that allows you to drecript it first.

 

[EagerDragon]

so how comes they just use the itunes accounts to buy music? how comes they dont use the cc-numbers to shop amazon or ebay??

do you read the other posts at all??? these people are not stupid....

Because what they wanted to do was bunp their rating, they did not wanted to steal money from the credit cards, directly.

This happens often in the stock market. They compromize the computer of a number of people with lots of money in the market, and steal their stock market brokerage accounts and passwords. Then the hacker uses his own money to buy some cheap stock. Using the stolen accounts and passwords then they buy the same stock over time, this drains their victims account to purchase those stocks. Later the value of the stock has gone up a number of points and the hacker sells the stock and makes a killing in the market. It is a variation of the old PUMP AND DUMP.

THe ones hacked are the PC users not the stock market, in the process the market is manipulated to get the ratings on a particular stock up. The same with getting others to buy your application to get its rating up.

Same basic technique. PUMP and DUMP, look it up. Some explanation and examples here: http://en.wikipedia.org/wiki/Pump_and_dump

Besides, they get 70% of every purchase, and as long as Apple can not prove they were the ones making the purchase, they can not be procecuted. The money they get (70%) has been cleansed (ever heard of money laudering?)

 

[aaarrrgggh]

À propos password, their's an easy solution: make a horribly long password of 16-20 "letters" with special characters and numbers and letters together, you'll be safe for many, many years, if not your whole life.

I use secure passwords on all systems that I viably can, but how do you do a secure, long password practically for an iOS device?! IIRC, you can't copy-paste to the iTunes password dialog box. Likewise, the clipboard is accessible to apps, so it isn't secure either.

The only way to improve it is to have account certs that you unlock with a less secure password, but that is on Apple. Likewise, account names should be hashed so they can't be guessed... All on Apple to execute.

Apple is gaming the system here as well, forcing the cc companies to earn their 3%.

 

[aaarrrgggh]

My account was compromised in late June...

What kind of email address did you use-- yahoo/google/etc, or private domain? Did you have a dictionary-resistant password?

 

[timseley]

Maybe it is just business as usual but my cousin's account got hacked a few days ago to the tune of about $1000 and apple hasn't exactly been helpful. Seems like something like $1,000 of purchases out of the blue should raise a red flag.

 

[lawrence32]

This happened to me in May, I did end up tracking it down to a key logger that seemed to be from sites that used the flash exploit. I know the site that got me was on my sons pc and I synced my phone with it and updated apps within itunes. itunes itself I think is secure, your pc may not be though.

I'll sync with my mac for now on, and make sure I don't have my card on file. Pay attention online, or it can cost you, my bank and itunes would not help me out.

 

[andiwm2003]

so how comes they just use the itunes accounts to buy music? how comes they dont use the cc-numbers to shop amazon or ebay??

do you read the other posts at all??? these people are not stupid....

Did you not read his post or did you just not get what he was saying?

 

[woofermazing]

While most media outlets may overestimate how widespread this was, the dude/dudes got 41 apps into the top 50? That would require more than a few accounts. Of course we will never know anything more because Apple will stay silent.

 

[adamvk]

Wirelessly posted (Mozilla/5.0 (Linux; U; Android 1.6; en-gb; Dell Streak Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1)



The streak has been out for a few weeks in the U.K!

Didn't know that. Cool.

 

[RangerXML]

Yes, because in the order of 50-250 accounts being hacked to boost these ratings is, well, "no big deal", sounds so Apple. Why does this remind me of 'there is no reception issue' party line?

 

[moonsabie]

paypal is ebay is far worse those too don't mix well.

 

[Consultant]

so how comes they just use the itunes accounts to buy music? how comes they dont use the cc-numbers to shop amazon or ebay??

do you read the other posts at all??? these people are not stupid....

Have you never used any online shopping cart before? Typically once the account info is saved, then the end user cannot extract it. (and of course iTunes has that security measure)

 

[ranReloaded]

Vietnam isn't part of China btw. Why the random rant? Ah, saw your location status. Makes sense now

no, I'm not japanese and it's not personal.
The dev may be vietnamese but all this iTunes account hijacking is sold through the chinese equivalent of eBay.

And while we're at that, Russia should take measures too.

 

[ArkhamNative]

I use secure passwords on all systems that I viably can, but how do you do a secure, long password practically for an iOS device?! IIRC, you can't copy-paste to the iTunes password dialog box. Likewise, the clipboard is accessible to apps, so it isn't secure either.

I suggest you look at 1Password from Agile Web Solutions. (Note: I'm just a happy customer for over a year.) It works with "most modern browsers", has an iPhone and iPad app, and a Windows version in beta. And has a nice password generator, too.

1Password has no problem with dozens (hundreds?) of accounts with passwords like ,XMcigSwMN#(87y59{VRR5]b or tot-maj-nu-al-wea, except that you may become irked when sites want no more than 14 or 22 characters in a password, or balk at fairly common symbols like { or @.

 

[Craiglorocks]

Just a thought: There have been many keynote addresses in which Mr. Jobs has touted that we now have #,###,###,### (no idea the actual number) itunes accounts with a credit card. If I am a hacker and Steve tells me that he has this many credit card numbers on his servers, I might be interested.

 

[theneweyes]

I think the wording used here by the editors of MacRumors, "Greatly Exaggerated" might be a subconscious sign of what we fear...

 

[RobertMartens]

I'd better change my password. I guess "password" isn't considered secure

Man, how stupid can you be? You just told everyone at MacRumors your password. I'm going to log in to your account now and delete this post.

Don't let this happen again. Lou's leaps sink sheeps.