Kinding Law Firm
China Game Law
Platform AccountabilityConsumer ProtectionDigital Payment Liability

Should game companies be held liable for unauthorized Apple ID transactions?

苹果ID盗刷,游戏公司需要担责吗?

January 7, 2026
2 views

Summary

This article examines whether game companies should be legally responsible for unauthorized Apple ID transactions. As cases of minors making accidental purchases and accounts being fraudulently charged continue to rise, disputes increasingly focus on where responsibility lies between platforms and game developers. The article notes that Apple operates a closed payment ecosystem through Apple IDs and directly controls user authentication, billing, and payment processing, making Apple the core controller of the transaction from both a technical and contractual perspective. However, game companies, as providers of digital content, directly profit from these transactions and design in-game systems that encourage spending, which may impose on them a duty of reasonable care in certain situations. The article argues that liability should not be treated as a simple either-or question, but should depend on factors such as whether manipulative design, inadequate payment warnings, or poor dispute handling are involved.

In recent years, incidents of unauthorized charges via Apple IDs have occurred frequently. When users suffer financial losses from in-game purchases due to compromised accounts, they often direct their claims toward gaming companies, demanding compensatory damages. However, from the perspective of legal principles and the apportionment of liability, gaming companies are generally not held liable in such cases.This article will systematically demonstrate the rationality behind the non-liability of gaming companies by examining legal obligations, the liable subjects, user negligence, and the burden of proof.

PART 1

Gaming Companies Are Not the Directly Liable Parties in Unauthorized Charging Incidents

1、Gaming Companies Provide Technical Services and Are Not Participants in the Payment Process

As application developers, the core obligation of gaming companies is to provide game services that meet regulatory standards, rather than to guarantee the security of a user’s payment accounts. When a user completes a purchase through the Apple App Store or other third-party payment platforms, the payment process is executed jointly by Apple, the payment service provider, and the bank. Should financial loss occur due to unauthorized charges, the directly liable subjects should be the perpetrator (the "unauthorized charger") and the payment platform or bank that failed to fulfill its security guarantee obligations.

2、In-game Consumption Behaviors Lack a Direct Causality with Unauthorized Charging

The essence of unauthorized charging is the transfer of property executed after illegally obtaining access to a user’s payment account; it has no inherent nexus with the game services provided by the gaming company. Even if a user purchases in-game items, the transaction instructions are issued by the user’s own account. The gaming company serves merely as the terminal service provider of the transaction channel and does not participate in the transaction decision-making process. Consequently, there is no direct causality between the gaming company's actions and the user’s loss.

PART 2

Gaming Companies Have Fulfilled Reasonable Security Guarantee Obligations

1、Technical Perspective: Inability to Intervene in User Account Security

Gaming companies possess no direct control over, nor the capacity to monitor, a user’s sensitive information, such as Apple IDs or payment passwords. Even if a user enables Two-Factor Authentication (2FA), unauthorized charges can still occur through channels like phishing websites or Trojan horse viruses. Imposing a security liability on gaming companies that exceeds their technical capabilities would be manifestly unfair.

2、Contractual Perspective: Explicit Obligations for Users to Safely Maintain Accounts

Service agreements entered into between users and gaming companies typically contain explicit covenants requiring users to properly safeguard their own account and payment information. If unauthorized charging occurs due to the user’s own negligence (such as password leakage or failure to enable 2FA), the liability shall be borne solely by the user.

PART 3

Liability Should Primarily Rest with the Perpetrator and the Payment Platforms

1、The Perpetrator is the Direct Tortfeasor, and the Victim May Seek Recovery via Criminal Proceedings

Under relevant provisions of the Criminal Law, unauthorized charging constitutes the crime of theft, and the perpetrator shall bear the liability for restitution. In practice, many victims have successfully recovered their losses through criminal restitution procedures, further confirming the primary liability of the perpetrator.

For instance, in August 2022, a defendant (Li) fraudulently obtained a victim's Apple ID password and 2FA code, subsequently executing unauthorized charges exceeding 13,000 RMB via the victim's password-free payment feature. Following a criminal investigation and arrest by the Putuo District Police in Shanghai, the Putuo District People’s Procuratorate initiated a public prosecution against Li in May 2023. By June 2023, the victim received the restitution funds transferred from the Putuo District People’s Court. Li was sentenced to eight months of imprisonment for the crime of theft and fined 2,000 RMB.

2、Payment Platforms Must Fulfill Risk Control Obligations

Apple, along with third-party payment institutions such as Alipay and WeChat Pay, bears a duty for real-time monitoring of abnormal transactions. If unauthorized charges occur due to lapses in risk control (e.g., failure to intercept high-frequency small-amount transactions or failure to implement restrictive measures on dense, short-term transactions), Apple and the third-party payment institutions should be held liable for the aggravation of the user's losses.

PART 4

User Negligence as a Key Factor in the Incurrence of Losses

1、Failure to Enable Two-Factor Authentication (2FA)

Apple has repeatedly emphasized that enabling Two-Factor Authentication (2FA) is an effective measure to prevent account theft. If a user fails to enable this feature, they remain vulnerable to losses resulting from unauthorized logins, even if the payment platform or bank has fulfilled a portion of its risk control obligations.

2、Improper Selection of Payment Methods and Voluntary Assumption of Risk

When a user opts to bind password-free payment (autopay) services and sets high transaction limits, they significantly escalate the risk of unauthorized charges. Pursuant to Article 57 of the E-Commerce Law, a payment platform is liable for unauthorized payments only when it is at fault. By actively selecting password-free payment, the user's conduct constitutes a voluntary assumption of risk.

Furthermore, in many practical cases, users suffer unauthorized charges because they misplaced their trust in scammers and performed authorized actions (such as providing 2FA codes) via online interactions. In such instances, the user must bear primary liability for their own gross negligence.

PART5

Allocation of the Burden of Proof: No Fault on the Part of the Gaming Company

1、The Principle of "He Who Asserts Must Prove"

In civil litigation, the party claiming compensation bears the burden of proving that the liable party is at fault. If a user seeks compensation from a gaming company, they must provide evidence demonstrating that technical vulnerabilities or managerial negligence on the part of the company directly led to the unauthorized charges. However, in typical unauthorized charging scenarios, the gaming company is not at fault, making it impossible for the user to satisfy this evidentiary requirement.

2、Limitations on the Probative Value of Police Filings

In some cases, insurance companies deny claims or payment platforms shift responsibility because the police filing receipt (Certificate of Case Filing) records the incident as "fraud" rather than "unauthorized charging" (theft). Even if a user asserts that unauthorized charges occurred, they may still lose the case due to insufficient evidence if they fail to provide substantial proof, such as records of abnormal IP logins.

Final Thoughts

In cases of unauthorized Apple ID transactions, game companies bear neither direct liability nor breach statutory security obligations. Their responsibility should be strictly confined to the scope of technical provision and contractual agreements. As the primary custodians of their accounts and payment information, users should mitigate risks by enabling two-factor authentication and setting limits on password-free payment amounts. For loss recovery, claims should first pursue criminal restitution against the fraudsters or hold payment platforms accountable under the E-Commerce Law. Shifting responsibility to game companies lacks legal basis and violates fairness principles. Only by clearly defining the boundaries of responsibility for all parties can we build a safer and more equitable digital consumption environment.

中文原文

近年来,苹果ID盗刷事件频发,用户因账户被盗导致游戏内消费损失后,往往将矛头指向游戏公司,要求其承担赔偿责任。然而,从法律层面和责任划分来看,游戏公司在此类事件中通常无需担责。本文将从法律义务、责任主体、用户过错及举证责任等角度,系统论述游戏公司不承担赔偿责任的合理性。

PART 1

游戏公司并非盗刷事件的直接责任主体

1、游戏公司仅提供技术服务,不参与支付流程

游戏公司作为应用开发者,其核心义务是提供符合规范的游戏服务,而非保障用户支付账户的安全。用户通过苹果App Store或第三方支付平台完成消费,支付流程由苹果公司、支付平台及银行共同完成。若因账户盗刷导致损失,直接责任主体应为盗刷者及未尽安全保障义务的支付平台或银行。

2、游戏内消费行为与盗刷无直接因果关系 

盗刷行为本质是非法获取用户支付账户权限后实施的财产转移,与游戏公司提供的游戏服务无必然关联。即使用户通过游戏内购买道具,交易指令的发出主体仍是用户本人账户,游戏公司仅作为交易通道的终端服务商,不参与交易决策。

PART 2
游戏公司已履行合理安全保障义务

1、技术层面:无能力干预用户账户安全 

游戏公司无法直接控制或监测用户的苹果ID、支付密码等敏感信息。即使用户开启双重认证,盗刷仍可能通过钓鱼网站、木马病毒等途径实现。要求游戏公司承担超出其技术能力范围的安全责任,显失公平。

2、协议层面:明确用户安全保管义务

用户与游戏公司签订的服务协议中,通常会明确约定用户需自行妥善保管账户及支付信息。若因用户自身过错(如密码泄露、未开启双重认证)导致盗刷,责任应由用户自行承担。

PART 3

责任应优先由盗刷者及支付平台承担

1、盗刷者系直接侵权人,且受害人可以通过刑事手段追偿  

根据《刑法》相关规定,盗刷行为涉嫌构成盗窃罪,盗刷者应承担退赔责任。实践中,也有部分案件通过刑事退赔程序已成功追回损失,进一步印证了盗刷者的首要责任。例如2022年8月,犯罪人李某骗走受害者的苹果ID密码及双重验证码,利用受害人ID绑定的免密支付开始实施盗刷,盗刷受害人一万三千余元,上海市普陀区警方刑事立案后抓获李某,上海市普陀区检察院在2023年5月份对李某提起公诉,受害人在2023年6月份即收到普陀区人民法院转来的退赔款,李某也因为盗窃罪被判处有期徒刑八个月,并处罚金人民币二千元。

2、支付平台需履行风控义务 

苹果公司以及支付宝、微信支付等第三方支付机构对异常交易负有实时监测义务。若因风控疏漏导致盗刷发生(如未拦截高频小额交易、对短时间内密集交易采取限制措施),苹果公司和第三方支付机构应对用户损失扩大部分担责。

PART 4

用户自身过错是损失发生的关键因素

1、未开启双重认证 

苹果公司多次强调,开启双重认证可有效防止账户被盗。若用户未启用该功能,即使支付平台或银行履行了部分风控义务,仍可能因账户被非法登录而遭受损失。

2、支付方式选择不当 

用户绑定免密支付并设置高额限额,显著增加了盗刷风险。根据《电子商务法》第57条,支付平台对未经授权的支付仅在其存在过错时担责,而用户主动选择免密支付的行为已构成对风险的自愿承担。此外,实践中很多被盗刷的用户,是轻信盗刷者,通过线上对盗刷者进行双重认证后的授权行为,更应对自身过错担责。

PART 5

举证责任分配:游戏公司不存在过错

1、“谁主张,谁举证”原则 

民事诉讼中,主张赔偿的一方需证明责任方存在过错。用户若要求游戏公司赔偿,需证明游戏公司存在技术漏洞或管理过失直接导致盗刷,但通常这类盗刷情形下,游戏公司不存在过错,更无从进行举证。

2、报警回执的证明效力限制 

部分用户因报警回执中记载“被骗”而非“盗刷”,导致保险公司拒赔或支付平台推诿。即使用户主张盗刷,若无法提供充分证据(如账户登录IP异常记录),仍可能因举证不足败诉。

写在最后

苹果ID盗刷事件中,游戏公司既非直接责任主体,亦未违反法定安全保障义务,其责任应严格限定于技术提供与协议约定范围。用户作为账户及支付信息的第一保管人,应通过开启双重认证、限制免密支付额度等方式降低风险。对于损失追偿,应优先通过刑事退赔程序向盗刷者索赔,或依据《电子商务法》要求支付平台承担相应责任。将责任转嫁给游戏公司,既缺乏法律依据,也不符合公平原则。唯有明确各方权责边界,才能构建更加安全、合理的数字消费环境。

分享文章
Read original article on Zhihu

相关文章

General

【Weekly Gaming Law】Lawyers Comment on miHoYo’s Anti-Fraud Actions; Infringing “Reskinned” Game Ordered to Pay RMB 5 Million

【每周游戏法】律师评米哈游反舞弊;侵权游卡被判赔500万

This weekly update examines three recent legal developments in the gaming industry: miHoYo’s anti-fraud enforcement and supplier blacklist measures; a “reskin” infringement case involving a Three Kingdoms-themed card game resulting in a RMB 5 million damages award based on unfair competition; and Roblox’s launch of AI-powered interactive content generation tools. The article outlines the legal considerations arising from supply chain compliance, the boundary between public domain materials and protectable game design, and the intellectual property and compliance implications of AI-generated interactive content within UGC platforms.

1 views
General

How to Build Official Game Payment Systems in a Compliant Manner (Part II): Overseas

游戏官方支付如何合规搭建(二)海外篇

Against the backdrop of a global economic slowdown and evolving regulatory scrutiny over major app distribution platforms, an increasing number of overseas-oriented game companies are exploring the establishment of official website top-up platforms to reduce reliance on channel commissions. Building on the prior discussion of platform policies regarding payment redirection and third-party payment access, this article reviews practical cases of official website payment models adopted by several game companies, including their login mechanisms, purchasable content, regional availability, and qualification disclosures. Based on these practices, it outlines compliance considerations that overseas game companies should focus on when constructing official website payment systems, particularly in relation to account management, price display, promotional methods, and refund policy design across different jurisdictions.

6 views
General

EU’s DMA Enforcement Push: Apple and Epic Games Reach Temporary Truce

欧盟DMA强监管,苹果与Epic Games暂时握手言和

Since 2020, Apple and Epic Games have been locked in a global antitrust dispute over App Store policies. While Epic lost its U.S. lawsuit, it continued its resistance through noncompliance, resulting in a developer account ban. However, the dynamics shifted with the EU Digital Markets Act (DMA) coming into force on March 6, 2024. Epic reported that Apple, under pressure from the European Commission, agreed to reinstate its developer account in the EU. The DMA’s provisions, especially Article 5(3) and Article 6(4), require gatekeepers like Apple to allow third-party app stores and payment systems on iOS. Apple’s attempt to ban Epic amid DMA implementation triggered regulatory attention, leading to rapid Commission intervention. This incident not only highlights the DMA’s enforcement teeth but also signals a broader shift in platform governance within the EU. For global developers and digital exporters, especially those dependent on app store distribution, DMA compliance represents a strategic inflection point. Non-compliance risks include fines of up to 10–20% of global turnover, exemplified by the €1.84 billion fine Apple recently faced. As more third-party app stores (e.g., Mobivention, MacPaw) emerge, the EU’s digital market is poised for structural transformation.

5 views