Mystery surrounds iTunes/PayPal web scam

Graham Cluley
Graham Cluley
@[email protected]

iTunes and PayPal
Here’s the story so far.

On Monday, TechCrunch reported that there appeared to be a “major security hole” in iTunes accounts which were linked to PayPal. Affected users began to report that somehow unauthorised charges had appeared on their PayPal accounts associated with iTunes purchases – with some reporting they had found themselves out of pocket to the tune of $1000.

Some resorted to posting on Facebook about the theft from their PayPal account:

iTunes/PayPal web scam victims on Facebook

Sign up to our free newsletter.
Security news, advice, and tips.

on Twitter:

iTunes/PayPal web scam victim on Twitter

and on Apple’s online support forum:

iTunes/PayPal web scam victim on Apple support forum

Initially there was much speculation that either iTunes or PayPal had suffered a security breach. PayPal declined to comment, beyond saying that they were reimbursing unauthorised charges and advising victims to contact Apple if they had further questions.

Apple, for their part, shed no further light on the situation:

"We're always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes, you should contact your financial institution about charge backs for any unauthorized purchases, and be sure to change your iTunes password right away."

The simplest explanation for the charges would be that the account holders have had their credentials phished – either via a scam email or spyware. But many of the affected users are adamant that they have not carelessly given their iTunes password to others.

Another possibility, punted by Charles Arthur at The Guardian, is that victims of this scam may have been using the same username/password combination on other websites (a security problem I’ve discussed in the past), and that these have landed in the laps of opportunistic hackers.

But, to be honest, at the moment we simply don’t know what connects the victims of the scam other than they had iTunes accounts associated with PayPal. Apple may be able to tell more about what links the victims (if anything), and the fraudulent purchases which they appear to have made, but they’re not talking about it.

So, in the meantime, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website.


In addition, it may make sense to use a gift card for your iTunes purchases rather than link it directly to a PayPal or other credit card – at least that way you can limit any potential losses.

Furthermore, just as with your bank account – you should keep a close eye on your iTunes and PayPal purchases to see if there is any unusual behaviour.

And even if this assault on users’ accounts wasn’t the result of a phishing campaign, always be on the lookout for fraudulent emails and websites which try and steal your login details.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.