Following reports from Chinese mobile payment companies Alipay and WeChat that some of their Apple device-using customers had lost money, Apple today apologized and confirmed that stolen Apple IDs were the subject of a hack. “We are deeply apologetic about the inconvenience caused to our customers by these phishing scams,” Apple said in a statement (via the WSJ), describing the issue as limited to “a small number of our users’ accounts.”
According to Apple, the hacked users had not been using two-factor authentication, a system whereby both passwords and a second verification — such as a text message-sent code — are used to protect account details. As it has done in the past, including through messages delivered in the Settings app, the company advised users to turn on two-factor authentication to protect their accounts.
While there aren’t many specific details about how the hack took place, users who were compromised unwittingly exposed their Apple ID data, including email addresses, passwords, and payment details. Chinese media reported that the hackers used the accounts to make unauthorized purchases, a particular issue in China, where many users link their Apple IDs to the Alipay and WeChat payment systems, which are operated by Chinese commerce giants Alibaba and Tencent.
As such, the damage likely extended beyond app purchases into other goods. Collectively, the systems reportedly handle around $15 trillion annually in Chinese mobile transactions, including payments for everything from online shopping and restaurants to transportation and utility bills.
Prior to Apple’s apology, reports suggested that some per-user losses on Alipay amounted to hundreds of U.S. dollars, and Alipay told users to reduce the amounts that could be transferred from their accounts without a password. The company also said it had asked Apple “multiple times” to determine what had happened with the thefts. Apple’s response comes around a week after the Chinese hacking reports first surfaced.