People are seeing thousands of dollars being taken from their PayPal account apparently via the iTunes Store. At first, it was thought to be an iTunes hack. But it is probably not. The more likely culprit is that your paypal account got "phished" via a scam email - you know, the kind that look like they are from PayPal but they actually are not? And then you click on the link in the email to "log in" or "reactivate" your account - but you are at a fake site that looks like PayPal and yet it is not. And now the "phisher" has your paypal account info and can proceed to buy things with that account.
One customer said his account was charged over $4700 in the iTunes store and when he called PayPal he was told a large number of iTunes accounts were compromised. People who were scammed say that the receipt claims it was for the purchase (at $99.99 a time - a clever move by the scammers, aiming to get it underneath the credit card "suspicion" level and also below the automatic level where the merchant has to bear the cost of reversing the payment) of "CastleCraft, Dragon Crystals (10000 Pack), Seller: Freeverse, Inc)". There is no product called "Dragon Crystals" and they don't come in 10,000 packs.
It is now emerging that it was their paypal accounts that were compromised (and I guess the hackers just really like iTunes). Not iTunes.
This can not be said enough (and so we say it again): be absolutely sure before you enter critical data such as your username and password onto any site. And when logging into a site, never go to the site from an email login link - put the real site url in your browser 'location' field and go there independently of any links in an email and then log in.