/ Technology

Apple must act now over its ‘iTunes hack’

Bitten Apples

The success of Apple’s App Store could soon hit a bump. iPhone users are allegedly in danger of a scam that’s cost them dear. The worst bit? Not only is Apple aware of this, it doesn’t seem willing to take direct action.

The result? Apple is keeping an app on its famed App Store that’s chalked up complaints from people accusing it of fraudulently emptying their iTunes accounts. And the victims are understandably frustrated with Apple’s inaction to stop what appears to be systematic theft.

The fact that that app – Sega’s Kingdom Conquest on the iPhone – is still on the App Store following a catalogue of complaints is, frankly, astonishing.

The reviews on the app say it all:

‘So many people like my six year old have had their accounts wiped by this. No support from Apple.’

‘This app took £55 from my iTunes account even though I have not downloaded it, viewed it or even known about it.’

‘Like others never heard of this app until I got a receipt for purchasing it. Complete scam, made even worse by Apple knowing about it. Shameful Apple, very shameful.’

‘Sent four emails to iTunes/Apple yet no progress, despite a store manager emailing them also. How this app is still on the App Store is beyond belief.’

Beyond belief is bang on. Why is Apple, despite complaints, doing nothing? Sadly, only Apple knows. Yet each day Apple sits on its hands, more unwary iPod, iPhone and iPad customers are falling victim to the problem. And that simply isn’t good enough.

Apple’s response to complaints

For the record, the app’s maker – Sega – insists the problem isn’t with the app. If that’s the case, then Apple has to take responsibility for every consumer that ends up out of pocket, and admit to what could be a real problem with a possible hacking of the iTunes system.

I alerted Apple to the problem, directly asking them why they haven’t taken any action. Apple responded by saying:

‘We’re always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about any unauthorized purchases, and be sure to change your iTunes account password right away. For tips on protecting your iTunes account security visit www.apple.com/support/itunes.’

It is a response – but it’ll be small comfort to those seemingly a victim of fraud. Plus, at the time of writing, the app is still available.

Apple’s iTunes and App Store is a great service – but is the company effectively hiding a hacking issue so as not to tarnish the App Store’s image?

With nearly half-a-million apps and 225m iTunes accounts, news of an iTunes hack wouldn’t be great for a company that last year reeled from the iPhone 4 antenna scandal (you know, the one Apple didn’t even acknowledge until faced with an overwhelming volume of noise from the world’s media).

Here’s what Apple needs to do:

1. If consumers are falling foul of an iTunes hacking scam, and it’s linked to this app, then it makes sense for Apple to remove it immediately to stop more consumers falling victim to a possible scam.

2. Apple should listen to its customers, and admit publicly to any iTunes account issue.

3. Apple must take immediate steps to protect customers from getting their accounts compromised and refund immediately anyone affected.

I’m betting Apple’s customers will continue to meet a wall of silence on this. But allowing them to get ripped off? In Apple’s case, it seems there’s an app for that.


I got my son an IPOD TOUCH for christmas from a COMET store and with know knowledge whatsoever of apple was told you just down loaded it onto your computer. No one told me that after that my son didn’t need the computer to download songs or nothing, first thing we knew was when we received emails telling us certain amounts of monies had gone out of our account. Call my husband and i stupid but we’d no idea he could do this we thought he had to link the IPOD up to the computer to download them. Anyhow with a quick phone call for avice from which who emailed us back with advice on what to do we sorted it but i was very disappointed with the store we bought it from they should have told us that this could happen surely. It’s locked of now my son can only use it for songs at present like a glorified tape recorder cos we can’t afford all the fifty pounds worths of music he was putting on. He has special needs too so didn’t realise what he was doing. Please parents be careful what you’re doing cos the shops aren’t bothered how much you’re kids make out of you.

Julian says:
28 July 2011

I’m sorry Comet didn’t explain that it was possible to download songs and other content via just the iPod touch itself, and although this does require you enter the password for the iTunes account that it was set up with originally, I’m guessing your son either knew it, or figured it out.

Although I’m a bit unsure as to what you mean by “It’s locked of now my son can only use it for songs at present”, I’m hoping what you meant is that whoever you called for advice directed you to the Restrictions feature within the iPod’s settings app, as it allows you to restrict what a device allows, like whether or not you can purchase music etc., quite easily, securing it with a special passcode.

This article from Apple’s support website explains how it works and how to set it up: http://support.apple.com/kb/ht4213 (If you hadn’t found the parental controls within iTunes itself, this one covers them http://support.apple.com/kb/ht1904)

Julian says:
28 July 2011

I’m sorry, but this article is massively misleading and appears to have been written with no real regard for the facts.

In short, there is no “iTunes hack”, the game is not a scam, and due to the way the App Store operates it’s practically impossible for any app to do what this article claims this SEGA game is doing.

As Apple’s statement indicates, what’s actually happened here is that people have either had their credit card information stolen and then used by someone else to create an account, or had the password they’ve chosen for their own iTunes Store account guessed by someone else who has then used it to download the game and buy things within it via In-App Purchase (which requires confirmation and the account password if it hasn’t been entered in the past 15 minutes).

Neither of these things indicates an “iTunes hack” or that the application is a “scam” any more so than a shop that unknowingly ends up accepting a stolen credit card is part of a scam.


Hi Julian

Thanks for the comments – and happy to clarify a few things that you’ve raised.

1. I never said the app is a scam. Sega is a reputable company, and has gone on the record that the app is fine and the problem isn’t down to the app per se. So, just to be clear: the app is definitely not a scam.

2. However, lots and lots of people are clearly being caught up in an on-going scam that is emptying iTunes accounts and is seemingly linked to this particular app. Don’t believe me? A simple Google search of ‘iTunes hack Kingdom Conquest’ shows the number of consumers seemingly caught up in the issue.

3. I never said that iTunes has been hacked. I was simply questioning the silence from Apple to its consumers around this problem, and why – weeks after this problem has emerged, are consumers still having accounts emptied and specifically in relation to this app. One way to stop the problem is to remove the app for a period.

4. However, the fact that people are claiming there is a problem does suggest that something has compromised certain accounts, and that it is fairly systematic. In short, has iTunes been hacked? Consumers are saying they’ve changed passwords but to no avail, which counters the insecure password argument. Some, clearly, is amiss with iTunes here.

5. Finally – and this is an interesting point – this scam does NOT seem to be linked to credit cards, as both you and Apple suggest. A reading of the huge numbers of complaints show that it appears limited to iTunes accounts that are in credit or have been topped up with a gift voucher or funds. It does not seem to affect directly credit cards. I think Apple’s advice around credit cards, then, misses the point.

So, I take your points, but it appears that hundreds of iTunes users are suffering the exact same problem, with the exact same app. Apple’s silence and inaction around this is what I’m calling into question – and I’d expect more from Apple to protect its users.

Julian says:
28 July 2011

1. I accept that you very carefully avoided directly calling it a scam yourself, you just strongly implied it and quoted others who had wrongly asserted it.

“iPhone users are allegedly in danger of a scam that’s cost them dear.” (that use of “allegedly” is practically HIGNFY-worthy)
“The fact that that app – Sega’s Kingdom Conquest on the iPhone – is still on the App Store following a catalogue of complaints is, frankly, astonishing.”
“It is a response – but it’ll be small comfort to those seemingly a victim of fraud. Plus, at the time of writing, the app is still available.”

2. While understandably infuriating to those who fall victim to it, the scam here is quite classic credit card/password theft. Although I haven’t downloaded the game myself, a quick check of its App Store listing and SEGA’s website for it shows that it’s a pretty popular game (#1 in the free RPG category in many countries) and makes extensive use of In-App Purchase.

Even aside from the ludicrousness of using Google search results as some kind of proxy for hard data, it’s quite reasonable to presume that if it’s a favourite of gamers, it’s going to be a favourite of gamers who don’t want to spend their own money, as well. Correlation doesn’t prove causation.

3. You didn’t say iTunes had been hacked? Are you kidding me with this?

Let’s see, we have “what could be a real problem with a possible hacking of the iTunes system.”, followed by “is the company effectively hiding a hacking issue”, with an added “news of an iTunes hack wouldn’t be great”, finished off with a ” If consumers are falling foul of an iTunes hacking scam”. But hey, you’re just implying it, I mean, it’s not like the *title of this article* is “Apple must act now over its ‘iTunes hack’” or anything, nope…

Anyway, the idea that by removing the app, Apple would somehow stop the problem, implies the problem here is truly related to/caused by this game in particular, which there appears to be zero evidence for. Surely if the iTunes Store had actually been hacked as you imply/assert throughout, why would people limit fraudulent purchases to just this one game?

4. Some people claiming there’s a problem, even multiple people claiming there’s a problem, doesn’t inherently mean there is one, or that it’s actually the problem they think it is. As you noted yourself, there are more than 224m iTunes store accounts, so if you wish to claim that there’s a systemic problem, surely you’d need evidence that at least a reasonable percentage of the 224m accounts out there are affected. You stated “hundreds” have been affected by this issue, 999 is the largest number that can be considered ‘in the hundreds’, which means that even presuming you’re right, this issue has affected 0.00044598% of registered accounts. Maybe it’s just me, but I figure if the iTunes Store had been hacked, it might be a little more widespread than “hundreds”.

That some people affected by this issue have changed their iTunes Store password and still had further unauthorised purchases made, neither counters the insecure password argument (they could have changed it to another insecure password), nor provides evidence that there’s something amiss with iTunes. Personally in those cases, my money is on the charges being made using another iTunes Store account with a stolen card, the changed password being easily guessed, or quite possibly of customers changing their password on a compromised computer (keyloggers are not your friends etc.).

5. I’m not sure how a misreading of Apple’s statement or what I said is really quite that interesting. Neither they, nor I, said this was simply a matter of credit cards, but that the basic two avenues that involve people spending your money on the iTunes Store without your consent come down to people either getting your card details and creating their own account, *or* gaining the password for your *existing, legitimate account* through either guessing it, or gaining it through other means (phishing, malware etc.).


Hi Julian

Thanks again for your reply – and you do raise some very interesting and valid points.

I do actually agree with a lot of what you say – consumers could be using insecure passwords, that the numbers aren’t huge compared to the total universe of iTunes accounts, and that in-app purchasing of a really popular game could well be the reason (in-app + popularity) for this specific game being a central player in the whole issue.

But, I want to be really clear about what I’m calling for from Apple:

1. There does seem to be some kind of a problem – and lots of consumers are experiencing some kind of scam, and it involves both Kingdom Conquest and iTunes accounts (from what I can tell, pre-credited or in-credit accounts). These bits are facts.

2. There are lots of reviews from consumers frustrated that Apple doesn’t appear to be doing anything to help. Those reviews may be wrong, misguided – or even totally accurate – but the point is Apple does have a bit of a problem in that it seems these concerns are falling on deaf ears. This too is a fact.

3. So these facts do raise a question – which is legitimate to ask – around iTunes and account security. **Something** is clearly happening. It **may** be that in-credit accounts plus in-app purchasing are prone to some type of hack-related problem. It may be that people have poor password. Whatever one, it’s a valid question to put before Apple and try to find answers to.

It would be great for Apple to actually articulate that, because I guarantee that tomorrow, someone else’s iTunes account will suffer the same problem, and it will be linked to the same app. That’s not the problem of the unfortunate consumer it happens to – it’s Apple’s problem.

Apple’s bland statement to date doesn’t really explain what might be happening.

jayfehr says:
28 July 2011

This is a cut/paste of the comment I posted on Reddit, but thought I would put it here as well since not everyone visits that site.

This article doesn’t even explain what the issue is. People buy an app then money disappears from their account — how? Is it in-app purchases? If so then the user has to enter the password. For each and every in-app purchase. The Smurfs issue forced Apple to do that, there is no more 15 minute window for in-app purchases. So either you told your kid the password, or it was simple enough that he/she guessed it. Oh, and you also could completely disable in-app purchases in the PARENTAL CONTROLS of the device.

The article also mentions hacking. If this was a shady app on a jailbroken device I would give that some thought. However, apps purchased through the AppStore do not have access to users account information, everything has to go through Apple’s system. In fact, as witnessed by the blowback of Apple’s 30% for subscriptions policy most people think this policy goes to far. On top of all this Sega is a reputable company as well I don’t think they would risk their entire organization to steal a few dollars from a few random people. Take advantage of their naivety? Yes. But steal? No.

This article is just FUD. People have to learn that passwords are there for a reason, and giving it to your child is akin to handing them your credit card in a candy store. They have no sense of cost, and no money management skills, yet you give them access to thousands (if not tens of thousands) of dollars.

There is still another option I hadn’t thought of. People accounts may have been stolen. Usernames/passwords compromised. But still that makes no sense either since the thieves are making in-app purchases on a game they don’t control. So all these hackers out there steal a bunch of identities to download and play a free game (to download) owned my a multi-million dollar corporation, then steal peoples money in order to buy in-game gear. I really don’t think this is what is happening, it makes zero sense. If they were stealing accounts they would place their own app on the store and keep the cash it brought in.