Apple has responded to press inquiries about the hacking of iTunes user accounts and fraudulent purchases made through its App Store, but the company has yet to come clean about the extent of the incident or the pressing questions it raises about the security of its application ecosystem.
We wrote about this incident yesterday, citing reporting from The Next Web, which broke the story on Saturday, July 3. The update, as of Wednesday, is that Apple has acknowledged the compromise. In an email response to Tech Watch, Trudy Miller, an Apple spokesperson, said that the company has removed "the developer Thuat Nguyen and his apps" from the App Store "for violating the developer Program License Agreement, including fraudulent purchase patterns."
Miller assured Tech Watch that "developers do not receive any iTunes confidential customer data when an app is downloaded," though we hadn't posed the question to the company. However, there was no direct response to the question we did ask: What was the source of the breach?
There are a couple possibilities. One is that Apple's own servers were compromised, yielding login information for iTunes accounts that were then harnessed to buy bogus apps. The other possibility, of course, is that credentials were harvested directly from the hundreds of millions of iTunes users via spam or phishing campaigns, then resold to enterprising app developers. Price your piece of worthless iPhone warez at $25, $50, or $150, or charge for dubious "in game points," as was the case with many of the suspect apps, and you don't need many scalps to realize a good payday.
Whatever the case, Apple is silent on the issue of the source of the breach. As to the size of the breach, there are differing reports. One from Fox and Friends (huh?!) anchor Clayton Morris says that Apple has confirmed 400 accounts breached. The Next Web says it counts more, based on comments to its stories on the breach -- an imperfect tally, at best, but one that suggests the breach could be much larger.