Apple Store Breech of Security

[PACPhD]

7 months ago I took my iMac 27 to the Apple store when the hard drive died. It was covered under AppleCare. When I dropped it off I was asked to write my master login and password on the store form in case they needed it. I felt a little uncomfortable but they said they had to have it. I picked the computer up a week later as I was away on business. Two nights later I received an email from Walmart thanking me for my two purchases of XBox Gold Membership cards. I called them and advised them I didn't even know what a gold card was as I do not play video games. They said I purchased them with my Amex card on the Walmart site. Interesting enough, my login name and password on my computer and Walmart is the same.

I had to close all of my credit cards, change all of my email accounts, web logins, etc. It was a nightmare. I called the store and spoke to the manager. She said this was way over her head and she needed to call corporate and get them involved. She would call me back in 2 days. A week later I called and she said she was working on it. Another week I went there and she said the same thing. I called a month later and the next manager said he knew nothing about it but would get right on it. A month later I never heard back. I spoke to another manager and he gave me the names of three managers (I found out there are 9 managers at one store). Fast forward 7 months. I have called Apple headquarters in California and they forwarded me back to the managers at the store. I have forwarded my Walmart purchases, and just sent an email asking where they are at with at least an investigation. They tried telling me they never ask for a password. I told them I was given an Apple form which asked for it. And also advised I have never given my login name or password to anyone.

So I have 2 Macs, AppleTV, AppleExpress, 2 iPads and 4 iPhones as well as a lot of Apple stock. And I have come to the realization that Apple just doesn't care. It's a shame, as I always was proud to have been such a loyal customer. I guess that's what happens when you get this big.

 

[pigoo3]

Sorry to hear about the unfortunate things that happened. An interesting (but unfortunate) story to read.

For what it's worth...I think that what happened was so much time (7 months) had gone by...that the original folks dealing with the problem either:

- could not be found
- no longer worked for Apple
- or they couldn't even remember what originally happened

Or...the "ball" got passed so many times...and so much confusion caused by the "passing of the ball"...that no one could recall all of the original facts.

I like to be optimistic that this "security breach" was due to one "Bad Apple" working for Apple...and certainly not an indication of the professionalism of all Apple employees. I'm sure that you would agree that no company or organization is 100% free of "bad eggs"...and so things like this can & will unfortunately happen from time to time.

I hope that you were able to correct your finances...and that the "security breach" was closed! Thanks again for sharing!!!

- Nick

 

[Stretch]

There is a reason why it's recommended to have unique passwords for everything. Nothing should share a password with anything else. This is half the fault of the person that took the computer in, but also half your fault for using the exact same username and password on multiple services.

 

[chscag]

I have to say the OP did not use good common sense probably because he never thought he would be compromised. Also, there's no way the Apple store needed his login password when it was obvious the hard drive had to be swapped out. They only needed a password if he set one for the EFI. (Firmware password.)

 

[vansmith]

7 months ago I took my iMac 27 to the Apple store when the hard drive died. It was covered under AppleCare. When I dropped it off I was asked to write my master login and password on the store form in case they needed it. I felt a little uncomfortable but they said they had to have it. I picked the computer up a week later as I was away on business. Two nights later I received an email from Walmart thanking me for my two purchases of XBox Gold Membership cards. I called them and advised them I didn't even know what a gold card was as I do not play video games. They said I purchased them with my Amex card on the Walmart site. Interesting enough, my login name and password on my computer and Walmart is the same.

This could very well be a moment of correlation and not causation. Although you had recently given your credentials to an Apple employee, you didn't provide credit card information or any indication that you had a set of logic credentials for Walmart. I'm not suggesting that it's impossible but it's also not indicative of causation (beyond doubt).

Second, this is not Apple's fault. If the employee did steal the credentials and engage in fraud, it was of their own doing, not Apple's. Yes, Apple may have dropped the ball in being a little slow in responding to this issue but ultimately, they are not at fault here so you're misplacing blame.

 

[CrimsonRequiem]

That's why I have two admin accounts. One for the Apple store and one that I use everyday.

Also I never store any passwords, credit cards on my computer. If you do use something like 1Password.

Something similar happened to my dad. Went in with his iPhone the next thing he knows he has 1000 dollars worth of music and apps being charged to his iTunes account. He isn't very careful to begin with. I suggested that he change his password every month. No problems since.

 

[PACPhD]

I do happen to use 1Password. As far as using different logins and passwords, at work (medical) alone I have 8 different logins and passwords with different criteria. How many "master passwords" can one actually remember??? I have brought my products in to Apple in the past so I never expected to be asked for a login or password. And in my own home never thought it an issue. When they got into my Walmart account I had my Amex gold card on file. The interesting thing is I didn't have the security code listed and they used my old address listed in the account and Walmart let the order go through.

 

[chscag]

The interesting thing is I didn't have the security code listed and they used my old address listed in the account and Walmart let the order go through.

I've had security breeches twice with Wal-mart. Once, they let it go through and I had to have my bank interfere and get my money back. But the second time, Wal-Mart called me and asked me if the charge was correct. I responded no and they killed it. Both times it caused me to have to cancel my credit card and get issued another.

I spoke with Wells Fargo security (my bank) and they told me that credit card fraud was rampart. The thieves use credit card duplicators which can randomly create a credit card with the correct numbers and authentication. They don't have to know your name or anything else about you to hack into your account that way.

 

[vansmith]

I spoke with Wells Fargo security (my bank) and they told me that credit card fraud was rampart. The thieves use credit card duplicators which can randomly create a credit card with the correct numbers and authentication. They don't have to know your name or anything else about you to hack into your account that way.

From a security standpoint, credit cards are quite possibly the most insecure method of payment on the planet. Online, you only need the number. At stores, you only need the actual card if you use PayPass. I find this so bothersome - all someone has to do is possess my credit card and they can get away with purchasing goods. Granted, PayPass is limited to $50 a transaction but make a few of those in a row and you can build up a bill pretty quickly.

 

[TattooedMac]

I do happen to use 1Password. As far as using different logins and passwords, at work (medical) alone I have 8 different logins and passwords with different criteria. How many "master passwords" can one actually remember???

Well if your using 1Password, then you only have to remember the 1 Master Password, and thats the 1 to gain access to 1PW. As it is 1 PW can generate any of yoour logins and its just a matter of cmd + \ key for it to open with the Safari Extension and then enter yoiur Master Password

Granted, PayPass is limited to $50 a transaction but make a few of those in a row and you can build up a bill pretty quickly.

ANd on a teachers wage, you would be screwed