iTunes/PayPal scam is due to phishing, not a bug?

A recent flurry of iTunes customers’ reports that their accounts must have been hacked and used to execute purchases via PayPal that occasionally total up to thousands of dollars, has raised the question of whether Apple’s App Store has again suffered a breach.

But, as it turns out, Apple is not to blame in this case. The company claims that there is no security hole in iTunes, and that the users in question must have fallen for a phishing scam.

According to Charles Arthur, some of the victims insist that they have never given out their iTunes or Paypal account credentials before checking that the website requesting them is legitimate. At this time, the theory that these users have been recycling usernames and accounts – using the same combination for a number of online services, some of which could have been hacked more easily – is the more likely one.

In any case, if you notice any unauthorized purchases made from your iTunes account, consider it compromised and reset the password. While you’re at it, reset the password on your PayPal account, too. Notify both services and ask them to block the payments (if possible).

Apple has recently improved App and iTunes Store security measures, requiring more frequent re-entry of a customer’s credit card security code. But, this is obviously not enough – the smartest thing to do here would be to remove all automatic payment options. Apple will probably pass on that, but users should consider it.