Chinese auction site sells thousands of stolen iTunes accounts

iTunes and Taobao50,000 stolen iTunes accounts linked to stolen credit cards are being sold on a Chinese auction site, according to a report from the BBC.

Listings on TaoBao, the Chinese equivalent of eBay, are promising access to iTunes downloads for between 1 yuan ($0.15) and 200 yuan ($30).

However, customers are advised that they are likely to only have about 12 hours to download apps, movies, games and music from the online store before their accounts are suspended.

A reporter with the Global Times, who discovered the activity on Taobao, paid $5 for an iTunes username and password. When accessing the account they found that it contained credit card details and the address of a user based in the United States.

Sign up to our free newsletter.
Security news, advice, and tips.

What isn’t entirely clear is whether fraudulent accounts have been set up with stolen credit card details, or whether these are existing iTunes accounts that have been seized by cybercriminals – perhaps after login details have been stolen through phishing attacks.

Certainly it’s not the first time that users have experienced problems with their iTunes accounts. Last year, many iTunes users reported that they had received unauthorised charges of up to $1000 after an apparent security breach.

Regardless of precisely how the cybercriminals selling access to the iTunes accounts managed to gain control over them, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website.

[youtube=http://www.youtube.com/watch?v=VYzguTdOmmU&w=500&h=311&rel=0]

Furthermore, just as with your bank account – you should keep a close eye on your account and the purchases linked to it to see if there is any unusual behaviour.

And even if this assault on users’ accounts wasn’t the result of a phishing campaign, always be on the lookout for fraudulent emails and websites which try and steal your login details. The phishers aren’t just after your banking details – they can make money out of other online accounts too.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.