Neal Sheeran

Rants, Raves, and Geekery

My Hacked iTunes Account


Shortly after I got my iPhone I was traveling on business and I was trying to download an app from the App Store directly to the phone. I saw a little error message saying that my iTunes password was incorrect. Still new to typing on this thing, I chalked it up to my fat fingers and tried again. Same error. I tried a third time, taking extra care to make sure, with the same result–followed by another note saying my account was locked. Weird.

I then fired up laptop and logged onto the Apple website and tried to log-on with my Apple ID - the same one used for my iTunes account. No luck. I then failed to correctly answer my own security question. Slight panic started to set in. The next morning I check my email on the iPhone and I have an iTunes receipt for six app purchases, only two of which were by me. I motor off to my meeting and the first break in the action can’t come soon enough. I get on the horn to Apple Customer Service, a task not helped by the fact my meeting location is in a significant cell phone coverage black hole.

I tell the Customer Service folks about the situation and they were more than helpful. My account showed three additional purchases that I had not made and they could tell that all seven of these apps were purchased from a computer different than mine. The strange thing is none of these apps were actually downloaded, they were only purchased. The kind Apple folks refunded me the money for the purchases I didn’t make (they were $9.99 apiece), reset my account and removed my credit card from it. Panic level subsiding…

At the end of the day, I get back to my hotel and immediately check my credit card statement online. Luckily, the damage was limited to these $9.99 apps and not a Neiman Marcus shopping spree. I then log back into my reset Apple ID account and see that whoever got ahold of my password changed my two security questions. I also take a closer look at the receipts listing these purchases (I had by now received the receipt for the three additional purchases I didn’t make).

All of these apps I didn’t buy were from the same seller.

The seller’s name was Xu Hei. I then fired up the App Store on the iPhone and looked up these apps I supposedly bought. The publisher/developer for all of them is Black8 Studio and the apps themselves are lame: iRest - Relax Your Neck Back Shoulders Knees and Ankles [iTunes Store Link], and app that promises “happy and productive staff” and to “helps to attract and keep great people”. Here is a screenshot:

Screenshot of bogus iPhone app

And here is snippet from the description:

Working Hard a Whole Day?

Walking wears pair of high-hell shoe?

Sitting beside the computer for a Long Time?

No, that is not a typo, “high-hell shoe” it is. Other parts of the description are in perfect English, probably because it has been copied from the web somewhere. Other apps include How to Stop Smoking, How to Watch Less TV, How to Avoid Swine Flu, etc. These apps exist solely for this scam. I know it’s a scam because I’m not the only one this happened to - someone else left a review for all of these apps describing almost the exact same thing - a hacked iTunes account and bogus purchases of multiple Black8 studio apps.

I called the Apple Customer Service folks back, gave them my case number and attempted to wow them with my mad detective skills. The gentlemen I spoke to agreed that something fishy was going on, would look into it and thanked me for me info. However, three weeks later the apps are still in the App Store and some of them have been updated with new screenshots (that are somewhat less lame, but not much).

Lesssons Learned

Thankfully, getting access to someone’s iTunes account does not provide the full credit card number, just the last four digits. Otherwise this could have gotten ugly. As is stands, this seems like a lot of effort to just scam people for $9.99 at a time.

Just like computer crashes that result in people “getting religion” in terms of backing up their data, I’m now a proud owner of a license for 1Password and all of my online passwords for anything remotely financially-related have been changed.

Now every time I get an iTunes receipt in my inbox, I have a small heart attack that only subsides when realize that, yes I did purchase that silly game or my fifth note-taking app.

I’m also pissed that I didn’t get to at least download these apps. I do tend to drink too much coffee and could use some help.