Same reason you don't have all your accounts at one bank. One hiccup and you no longer exist.
You guys are actually downplaying the risk a bit here.
1) From the $40 charge it sounds like someone was ripping you off and covering their tracks (hiding history so you wouldn't know what else / how much the extracted from your iTunes account).
2) Apple now uses Apple IDs for Mac login, BtMM, & screen sharing in Lion.
That means someone with whatever technique was used on your Apple ID could actually break into a Mac desktop/laptop too -- either locally or over the network.
This is bad news.
From the way Chris Owen described it, it really doesn't sound like his account was compromised so much as interleaved with someone else's account information temporarily. The $40 charge, for instance, not only had a different address, but used some other credit card, which shouldn't be possible (and wouldn't really be the point of phishing anyway).
And the whole thing is really inexplicable in some respects. For instance, where would that phantom address come from? A cracker wouldn't use it, since it couldn't receive email (and Chris runs an ISP, so he really knows what he's doing with this stuff).
My best guess is that Apple munged some data together and must have invented that email address when trying to figure out what they'd done. But that's certainly just a guess, and Apple wasn't saying more.
That is the scariest bit. There was an issue and after a mess and a bit of luck, it was fixed.
What caused it, could it happen again, how was it fixed,..... I could continue in this vein.
The scary is Apple's total silence on the issue.
no "the scariest bit" is that none of you recognized that the first emails were the phishing scam... and what is particularly comical is the comment "I could avoid being tricked by phishing. Since that wasn’t my problem"
when losing your password most of the time is a phishing scam,.. those first emails were probably the phishing scam. if not, then the person fell for the phishing scam months ago... there are whole databases in China with phished passwords, and they hand them out for people to buy on demand... many times the scam happened months before the person ever gets the first charge...
I get lots of legitimate email that doesn't include my name. This week, from Apple, "Dear iWork.com user."
But I see your point. People need to develop a better sense of good and scam email. Sometimes it's comically easy, but not always.
actually even it includes your name, if it is an email about changing some account info, or just logging in, don't click on the link, go to your browser book mark instead, always...
none of these companies should include links...
The first email messages were not phishing scams. For one, Chris Owen runs an ISP, so when he says he didn't fall prey to any such scheme, I'm highly inclined to believe him.
Second, and even more to the point, I went back in my email and confirmed that all the Account Info Change messages I have received from Apple in the last year start with just "Hello," and do not include my name.
"The scary is Apple's total silence on the issue."
Actually, the scary is Apple's continued arrogance and disdain to their customers.
On my iMac and iPad, my Apple ID continues to work, but on my MBP, it does not. Further, since it claims I have an upgrade pending that I can't get, I always have a 1 in the icon for the store (this is a SL machine). It is just this kind of horror story, and most particularly the difficulty (virtual impossibility) of getting problems like this fixed that has prevented me using iCloud for anything. I use fruux to sync my Address Book and Calendar and Dropbox for all other file syncing.
While I'm ranting here, I should mention that with the exception of Apple's web site and developer site, I avoid using any other Apple Web-based service for the same reason -- none of them do any glitch management, whereas Dropbox and fruux are quite responsive.
You should have had a clue when the initial e-mails did not include your name - just "hello"- It is possible you were directed to a fake web page and put your password info there - and started the ball rolling.
Never believe any e-mail from Apple - PayPal - ebay - your bank - or anyplace that does not include your name.
Actually, my legitimate email from Apple that arrived after I was forced to create the security questions didn't include my name either. I agree that you should never click on a link in an email, but you can't automatically say that the email can't be believed because it didn't have your name
in this case, the person fell for some phishing scam... most likely those emails were the phishing scam... and the person clicked on one of the links, don't even click on a link for a legit email.... ever... if it involves changing account info and such.
Again, I have multiple Account Info Change messages from Apple that start exactly the same way - "Hello," and no mention of my name. My email address (Apple ID) is always listed, of course.
Apple clearly needs a better system to resolve issues with Apple ID. Having the only method through Express Lane is pretty unsatisfactory. A link directly for Apple ID is NEEDED now. Speaking to a real person would be easier to explain a convoluted situation, rather than an e-mail that no one seems to read any way. As important as Apple ID is becoming, they better do something that is user friendly.
I have two Apple ID's, one is from my old MobileMe account and the other is my iTunes account that I use for any purchases. At first I wanted them combined and was disappointed that there is no way to do so. Now I think it is safer to have them distinct from one another. This works ok for a single user, but I imagine multiple family member type situations may be very difficult to manage.
Ditto. I use my original iTunes AppleID just for that. My Dot Mac AppleID is the one I use for Apple Discussions and Dot Mac/MobileMe/iCloud email. I was ranting because Apple could seem to be able to hire a programmer that knew how to merge databases. Now I wonder if they did hire someone who "enhanced" his resume and this problem is the result - a database merge gone awry.
--------------
if Apple messes something up behind the scenes, we’re the ones left with egg on our faces and no obvious way to get help.
---------------------
there are literally dozens of people losing their passwords to phishing scams every single day, and every year twice a year or more, some article portrays Apple itunes as being "hacked" with stories of 30 people saying they had been hacked, well it isn't 30 people... it is 300 people every month or so... and the story and the people ALWAYS blame Apple, saying it "must" be an iTunes hack... when in fact in every single case, it is either phishing (90% of the time) or a PC with a virus/malware/keylogger on it....
NOT ONCE in the dozens of these articles that show up twice a year or more, was it the case that it was iTunes and or An Apple system that was hacked.. not once....
I would encourage you to read more closely. At no point in the article did the author suggest that Apple had been hacked, or even that his account had been hacked. Phishing was off the table for the reasons I've stated in previous comments.
The most logical conclusion is that Apple somehow interleaved data from multiple accounts, since that would account for the different address, the American Express card, and the lack of developer privileges. Utterly inexplicable still is the phantom email address that never existed.
Regardless of what happened, the piece is meant as a cautionary tale for people who rely on their Apple IDs to (a) be careful and (b) to think about what you'd do if your Apple ID-protected accounts were to become inaccessible. Plus, it points out that getting help from Apple for what has become a truly essential service can be difficult and time-consuming. It didn't happen in this case, but it's easy to imagine someone relying on iCloud for email, calendaring, and contacts, and ending up in a situation where they would be dead in the water for a day or two while some problem gets fixed. That may not be acceptable for some businesses, and they should be aware of that possibility.
Apple ID's - perplexing, apparently even to Apple. A year ago I found that the contact and billing information (real name, mailing address, phone number, and billing information) for one of my two Apple ID's had inexplicably changed from my own to that of someone of opposite gender whom I do not know, but who happens to live in the same town, although not quite in the same Zip code.
Had I kept notes I could regale you all with the gory details, but as I recall I was lucky enough to reach, without excessive delay, an exceptionally bright young woman at Apple. She was as mystified as I, yet still managed to sort things out within 24 hours.
Nice person. During the course of our conversations she was able to pull some strings and get me an exceptional discount on Adobe CS 5.5 (through Apple), so while I left the experience forever wary of the reliability of Apple's security underpinnings, I remained a happy-enough customer.
Now, reading this, and remembering that, leaves me firmly disinclined to entrust any of my LAN calendars to iCloud. Instead, I will keep the LAN as is, and continue to sync appointments -- which are especially handy to have on my iPhone, but less likely than to-dos to contain sensitive or mission-critical notes -- through Google Calendars and the Calengoo app.
No one, and certainly not Google, is infallible. Like everyone else, I hope that Apple will eventually get it exactly right, but their track record from iTools through .Mac and MobileMe would seem to suggest that it may take a while. So for now I'll continue to sync the really important stuff over my own LAN.
I've had 4 instances of phantom charges that appeared on my account. I, too, am very careful about phishing schemes and convinced that I was not a victim of phishing since I changed the password after every one and finally started another Apple ID. I cleared every other Apple ID I have and changed every password even if I haven't used that ID for years. I insured that only one (my computer) could download the purchase and those errant purchases would download just fine even though I didn't order them. But what drives me nuts, though, is that Apple immediately discounts any suggestion that it might have been something their system generated. Every time I spoke to them (finally!), they simply wiped out all my account information associated with that Apple ID. It was especially galling that they invalidated my credit card and refused to let me use it again when I set the account back up. I'm on my fourth and last credit card. Every other card I have has been invalidated
You are a patient man Adam.
My iTunes account was hacked even though I was never asked to contact them. All I ever did was sync a few downloads for two iPhones once. I don't buy music, books, etc on iTunes. First thing I knew was that I had some minor charges from Italy show up. Apple had me lengthen a short ID into a longer one with more restrictions on what was required. But I was definitely never phished. BTW, they quickly removed the charges.
Maybe a 2 step verification option should be made available, similar to gmail?
I'm skeptical that this was a phishing scam because at least one part of this has happened to me months and months ago -- and if it was related to phishing, well, they're running a poor operation because they haven't gotten any of my money yet.
At a certain point, my Apple ID was listed by apple as [current ID]1. That is, they added a 1 to my actual ID, just as described here. My memory's hazy on this point but it may have been right after switching my account to iCloud from MobileMe.
In any case, it took several login attempts and a reset and all kinds of nonsense to get functioning again. Combine that with the way Apple has handled this recent security question issue and as far as I'm concerned, they have a lot of work to make iCloud the best experience it can be. Given their history with online services, I'm not holding my breath.
(And I write this as someone who's used Macs for 20+ years and never bought a Windows machine in my life.)
I have also seen Apple IDs and usernames suddenly cease to work, either when entered programmatically or when pasted from PasswordWallet, but I have been assured that this is completely impossible and is never actually happening. The logical explanation is that the Macintosh is the world's first quantum computer and Apple IDs function like Schrödinger's cat.
For it seems that Apple fails to manage accounts. This is also true for the KeyChain utility of OS X. Although it is step forward, it blindly stores usernames and passwords. OS X lacks an online account manager, because an online account is used on several places of the OS. Currently, if one changes his password, he has to repeat this several times to update all the occurrences in the keychain. Account management also should be connected with cookie management.
If the quality of additional Apple secunity is evidenced by the choice of the 5 security questions, heaven help us. I know many highly qualified graduates who have never owned a car. And as for the juvenile questions about favourite teachers/colours/pets/etc, these are non starters for any mature adult. What idiot have Apple employed to dream up such rubbish? No wonder they have security problems. I won't be rushing to move from MobileMe to iCloud. Any chance of a reprieve?!
It sounds like moving to iCloud may be part of this problem. What can we do if we don't want to move to iCloud? If I do nothing come June whatevereth, what will happen? Will my phone and iPad just stop syncing to my laptop? Will I no longer be able to buy iPhone or iPad apps? Is there an alternative? I'm already so danged confused over apples IDs.
Apple has said nothing, but frankly, I think not moving would be a mistake. At best, Apple will migrate your MobileMe information to iCloud for you on June 30th. At worst, they'll just delete it. So you may as well move it manually first, while you can do so in a controlled fashion.
I've had four or five Apple IDs go bad since Apple started using the Web for customer contact. Result is condescension from arrogant young fans who imagine I'm a new user. Got my fat Mac right here, boys.
I received the exact same email that Chris Owen did saying that my billing address and/or Credit Card info had been changed. What should I do? I am not tech savvy and would most appreciate an answer in the most basic terms. Thank you for your help.
I think you should do exactly the same thing Chris did, in terms of changing your password and contacting Apple to see what they've done to you.
Last fall my Apple ID became co-mingled with that of another Apple customer. I never got any email about my account being changed. I found out something had gone badly wrong when I tried to update an app in the Mac App Store and it wouldn't take my password.
There was a $50 gift certificate as well as a $10 credit for the gift certificate in my account that was sent to someone I did not know. However, my credit card was never charged nor credited but the erroneous entries were never removed.
iTunes help was worse than useless. The AppleCare people did yeoman's work sorting it out but it took three weeks. The explanation was that it was an iTunes server error.
Until I deleted the information myself I had access to the name, phone number and security question/answer of the other Apple customer. Some of the credit card information was also accessible.
Just to voice my frustration with the Apple IDs. I have two - one for work and one for private use, but I long ago managed to associate my private address used with one of the Apple IDs with the credit card for work and vice versa, which was not really a big problem as long as I remembered to use my private address for company orders. I thought I should "fix" this and asked Apple if it was possible to "swap" e-mail addresses between two Apple IDs (because swapping the credit cards would not be helpful as I already had purchases belonging to both and the purchases cannot be swapped, I believe).
Apple told me it was impossible to "swap" e-mail addresses between two Apple IDs, but after thinking a while I realized that it could be done with a little extra work ... . So despite what Apple said, I managed to get everything just right in App Store, iTunes store, iCloud. BUT, now there is no way else than creating a third Apple ID in order to access the Apple Communities ... .
"The most logical conclusion is that Apple somehow interleaved data from multiple accounts, since that would account for the different address, the American Express card, and the lack of developer privileges. Utterly inexplicable still is the phantom email address that never existed."
I too recently experienced this interleaving problem, and loss of access. A similar charge was made to the other person's account, but I was the one notified in a typical iTunes purchase notice. The process by which I straightened everything out and regained access and control was remarkably similar as well. However, my "journey," once I found no help online, began with a physical visit to an Apple Store Genius Bar. APPLE HAS A SERIOUS PROBLEM SOMEWHERE IN THE APPLE ID AND/OR ITUNES STORE SOFTWARE!
What's a little scary about this is that if two people within the TidBITS community experienced the problem, that implies that it could be hitting quite a few people in general, given the hundreds of millions of people with Apple IDs and iTunes accounts.
