Numerous reports of iTunes users being hit with unauthorized charges in the hundreds - or in some cases, thousands - of dollars to their PayPal accounts have raised concern and spread confusion in recent days. There's no clear information about how the thefts were carried out, with some speculating that there is a security hole in iTunes and others - particularly Apple - saying it's just an everyday phishing attack. However, questions remain as to why only
linked iTunes and PayPal accounts are being hit.
, specifically targeting iTunes customers who use PayPal as their payment method, have been going on for a year or more. A report in the San Jose Mercury News "Action Line"
over the weekend was picked up by TechCrunch
, who passed on the story of one user who was charged $4,700 US for a bunch of 10000 packs of "Dragon Crystals" for the CastleCraft game. Searches of Twitter and Facebook turned up a number of reports of similar thefts, prompting worries about a major scam underway.
Apple and PayPal were initially blaming each other for the problem. A number of observers later made statements to the general effect that users were dumb and falling prey to phishing emails, with John Paczkowski at the Wall Street Journal
passing on what his Apple sources told him: "iTunes has not been compromised and the company isnít aware of any sudden increase in fraudulent transactions." Leaving aside the fact that of course Apple would say that
, no one definitively knows the source of the attacks and it's not necessarily reasonable to conclude that there's no problem with iTunes. (That's sort of the goal of hacking: you're not supposed
to know when it's happening to you.)
If the problem was that people's PayPal accounts were being hacked, then we'd be seeing other charges made at different places, not just at iTunes. If people's iTunes accounts were compromised, on the other hand, then it wouldn't necessarily just be those who pay through their PayPal accounts who were being robbed. The reports to date would suggest that there is something in the linkage between iTunes and PayPal that's being exploited.
A PayPal spokesperson told TechCrunch's Erick Schonfeld that "unauthorized charges sent through PayPal are being reimbursed." Apple, for its part, is telling people who have been robbed that they should change their passwords.