Apple Developer Portal Hacked

theheyes · 22 Jul 2013 at 06:10

It appears Apple have suffered a compromise, and developer personal information has been stolen. There is evidence that this information is already being used to try to crack people's accounts.

We’ll be back soon.

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.

Thank you for your patience.

I don't believe that Apple have indicated exactly what "encrypted" means nor have offered any sort of remediation advice, so just be cautious of potential phishing emails and of course change your password.

MonsterMoshi · 22 Jul 2013 at 09:03

Surely if you yourself don't know what "encrypted" means then I would guess you should have no interest in the Apple developer program?

Also, your emails are much more easily avaliable from other sites so why go through the trouble of hacking Apple?

These guys were just doing it for the lols
I doubt there was much criminal intent

Everyone should always be cautious of pishing emails. Now is no different.

theheyes · 22 Jul 2013 at 10:18

If you have any details on how Apple encrypt their data and the intent of the hackers then please share.

Audigex · 22 Jul 2013 at 11:05

It sounds to me like theheyes knows what he's talking about, and that you don't.

The issue isn't "oh, what does encryption mean?" - the question is "What was the encryption used?" Because if the passwords were "encrypted" with ROT13 or MD5, it's a very different proposition to if they were encrypted as salted SHA-512 or Blowfish/AES encryption.

theheyes · 22 Jul 2013 at 11:12

I was being kind not to point out that what I was getting at obviously whistled straight overhead, but since you mention it yes you're absolutely right.

KIA · 22 Jul 2013 at 12:40

fez · 22 Jul 2013 at 18:42

Have apple come out and acknowledged that it was indeed this security researcher that was the issue. They made it sounds as if someone had tried to misuse the information stolen already yet the researcher claims not to have used it in anger at all. He also claims to have warned apple about what he was about to do and how.

theheyes · 22 Jul 2013 at 21:03

They've not said much of anything to be honest. A lack of information and the process of performing a complete system "do over" means that they've clearly been spooked.

A measurable increase in password reset activity and targeted phishing emails suggest that whatever happened had some sort of malicious component. It's a pretty unlikely coincidence if you ask me.

Cosimo · 10 Aug 2013 at 09:10

At last:

We are pleased to let you know that all our developer program services are now online. Your patience during this time was sincerely appreciated