From CNet (and my inbox, as a member of the developer program):
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
One of my fellow TidBITS writers noted the disruption on our staff list after the site had been down for over a day with no word. I suspected a security issue (and said so), in large part due to Apple’s complete silence – even more than usual. But until they sent out this notification, there were no facts and I don’t believe in speculating publicly on breaches without real information.
Three key questions remain:
- Were passwords exposed?
- If so, how were they encrypted/protected? A password hash or something insecure for this purpose, such as SHA-256?
- Were any Apple Developer ID certificates exposed?
Those are the answers that will let developers assess their risk. At this point assume names, emails, and addresses are in the hands of attackers, and could be used for fraud, phishing, and other attacks.
Reader interactions
One Reply to “Apple Developer Site Breached”
If that Ibrahim Balic story is true, I am afraid he managed to get himself into some trouble.
His comment on TechCrunch: http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-has-potentially-been-breached-by-hackers/?hubRefSrc=permalink#lf_comment=87472293
YouTube video: http://www.youtube.com/watch?v=q000_EOWy80&feature=player_embedded
You’re deep in the muddy waters of gray areas when you go ahead and obtain private data from company, that contains private information, and you post some of that on YouTube without blurring the names and email addresses.
The good news, if this is true (it could certainly be faked with ease), is that it doesn’t seem to have anything to do with passwords or certificates/keys.
Now, when is the first phishing campaign on Apple devs going to start? Once you can target those you can probably manage to push out malware in someone else’s name, but it would still have to go through the approval process so it has to be hidden in a functional app…