Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Scammers steal from PayPal accounts through users of iTunes [u]

A phishing scam relies on hijacking users' iTunes accounts linked to PayPal, giving thieves the ability to drain money from someone's online account [updated].

Update:Various users have reported being charged thousands of dollars through the scam, in which the charges are made to an iTunes account through PayPal. While the problem was reported as a "major security hole" associated with iTunes accounts by TechCrunch Monday, John Paczkowski of Digital Daily reported that it's actually a phishing scam that's been around for some time.

"Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions," he wrote.

PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.

An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem.

"Among other new security measures iTunes now requires more frequent re-entry of a customer's credit card security code," the spokesperson said. "But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

Earlier this summer, iTunes was hit by developer and account fraud, which some developers used to boost their sales rankings. Apple said, in that incident, that only 400 accounts were compromised of the more than 150 million active iTunes users.

This month, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.