Reports are appearing this morning about a major security hole in iTunes accounts linked to PayPal. At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.” His email was filled with nearly 50 receipts from PayPall for $99.99 each. (Update: they were for “CastleCraft, Dragon Crystals (10000 Pack), Seller: Freeverse, Inc”). He was able to catch it before his bank disbursed funds to PayPal.

But others were not so lucky. A quick search of Twitter and Facebook shows that the problem is not isolated. Joey Bruce on Twitter laments:

Someone hacked my iTunes/paypal acct and drained everything from my bank account. Life is kicking me in the balls while I’m down.

A search of public status updates on Facebook uncovers more people with the same issue:

Darn…what a day! Someone hacked into my itunes account and bought a crap load of downloads and emptied out my paypal account….grrrrr. . . . Paypal is very cooperative but there is just about no way to get ahold of itunes. I did call paypal and they assured me that they had contacted itunes and it was going to be taken care of in my favor. so apple/itunes had a security breach & someone bought over $500 worth of music through my paypal account. just what i wanted 2 b dealing w/ while in San Diego! AWESOME!!! Everybody watch your itunes account closely. I just got hacked for almost $1000.00 worth of software, videos and music. Hopefully paypal will refund it all. . . . This happened within the last few hours. Once transaction after another.

At least PayPal is aware of the issue, but it seems like the problem is on the iTunes side.

Update: Apple is in spin mode now and several follow-up reports blame the users for being the subject of a run-of-the-mill phishing scam. While that may be the case (and so far these incidents don’t seem to be very widespread), there are still some things which don’t add up. According to the targeted customer above, in his discussions with PayPal it was clear that PayPal believed the problem was with iTunes. There is a direct billing relationship between PayPal and iTunes, and somehow that was being exploited. If it was simply that his PayPal account was compromised, then a smart scammer would spread the false charges from a variety of sources, not only iTunes. The other reported incidents seemed to follow this same pattern.

Also, he received 46 receipts from Apple itself, noting the same charges for the same items (see the screenshot I added below). I’ve looked at these and compared the header information to legitimate Apple receipts and they appear to be the same. So it was definitely going through iTunes.

That said, there are many iTunes accounts linked to PayPal, and many ways those accounts can be compromised. It could be something as simple as stolen passwords. There is certainly no indication from Apple that there is anything out of the ordinary. If the same thing has happened to you, please share your experience in comments.

Below is a statement from a Paypal spokesperson:

I can confirm that the PayPal system itself has not been compromised, and we haven’t seen any fraudulent or unauthorized logins to the actual PayPal accounts affected by this issue. Unauthorized charges sent through PayPal are being reimbursed.

And from Apple:

We’re always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about chargebacks for any unauthorized purchases, and be sure to change your iTunes password right away. For tips on protecting your account security visit www.apple.com/support/itunes.

Update 2: An Apple spokesperson who checked into the issue responds: “I can tell you that iTunes has not been hacked. Our servers have not been compromised.”