Some 50,000 stolen iTunes accounts are for sale on a Chinese auction site, according to the BBC. TaoBao, a popular Chinese auction site lists stolen iTunes sites, and sells them for “temporary access to unlimited downloads from the service for as little as 1 yuan (10p) a time.” Listings tell users that they are likely to only be able to access the accounts for 12 hours before they are shut down.
Most likely, the account information was not obtained by hacking into Apple’s servers, but rather by phishing or Trojan horses. Once an Apple ID (used for an iTunes Store account) and its password have been obtained, the possessor of the information will be able to buy any type of content on the iTunes Store as long as the account has credit, or is set up with a credit card. Most likely, the accounts get shut down once irregular activity is seen, hence the 12 hours that the sellers suggest the buyers will have to make purchases.
A French site reports today that phishing attempts are being made via iChat. In the example they show, the phishing page asks for an Apple ID and password, and this information could be used to access an iTunes Store account as well.
For all of these reasons, users should protect themselves against phishing and malicious websites (using the powerful features in Intego VirusBarrier X6), and should keep a close watch on their credit card statements. If they find unexpected charges, they should immediately change the password for their Apple ID, and then follow up with Apple and their credit card company.