Last night, I was sitting around with friends enjoying the evening and happened to check my e-mail. To my surprise, I had received two e-mails from PayPal with the subjects "Receipt for Your Payment to iTunes Store." That's funny -- I hadn't bought anything on iTunes in over a week, and the last charge had already hit my account days ago.

Imagine my horror when I logged into the Account Management section and saw this: repeated charges totaling $95.30, split in two equal parts. Worse yet, it was for a game I had never downloaded, Sega's "Kingdom Conquest." Repeatedly, somebody had purchased within the app 1,200 CP (which I'm guessing is in-game credits) at $8.99 a piece.

That's not good... at all.

Horrified, I rushed to change everything I possibly could related to iTunes. First, I changed my Apple ID to a different e-mail, and then my password. If you can believe it, as I was doing this another e-mail came through with yet another charge! $9.53 on this one -- yep, another purchase of 1,200 CP to Sega!

This was the last straw. Now panicked, I totally removed my PayPal information from iTunes. On PayPal, I changed my password and disputed every charge that had gone through. But what I found next was shocking.

Just one of the receipts in my purchase history

A Widespread Problem?

Kingdom Conquest's page on the iTunes store includes dozens of similar reports. From what I can tell, a large number of reports seem to be centered around the holiday weekend, although I was able to locate complaints as far back as May 17. My case seems especially severe -- the average amount bilked was around $43 or so, but the charges vary quite widely.

Worse yet, it appears that these fraudulent charges are occurring across a wide range of iTunes users -- having an iPhone was not important. This is especially concerning to everyone because it seems to indicate this may be a wider hack of iTunes itself -- or even PayPal -- because somehow whomever is doing this has access to account information.

Sega recently touted that Kingdom Conquest had reached 1 million downloads in the App Store. I'm wondering how many of them now were really purchases and not some hacker attempting to pilfer credits out of accounts that don't belong to them.

Sega knows about It, Apple has been quiet

Betanews has requests out for comment to both Sega and Apple, but neither have responded as of press time. I've chosen not to hold off for comment because I believe that from what I'm seeing this hack could be relatively widespread and fairly dangerous -- and knowledge is power as they say.

Sega is apparently aware of it, according to this post in the official Sony Forum. "We are currently investigating this claim as well as some others," Administrator FrankFrank wrote in response to a complainant. "Allow me to state very clearly that SEGA and Kingdom Conquest are not acting maliciously in any way. It is in no way possible for this game to charge an iTunes account without someone installing the app, logging into that iTunes account with valid credentials and then choosing to make a purchase."

So, the fix appears to be Apple's to make. Could the Cupertino company have been subject to a significant hack of its systems that could have opened customers to a hack they might not even know about until after the fact. It's quite worrisome. There was a problem with counterfeit gift card numbers in early 2009.

If you are a victim of this hack, Betanews wants to hear from you. Please send me a message personally: ed at edoswald dot com. Hopefully, Apple and Sega address this issue soon.