Apple admits Developer Center was hacked, after days of silence

Apple Apple’s Developer Center has been down since last Thursday, frustrating programmers keen to get their mitts on the latest beta downloads of iOS 7 and OS X Mavericks, development tools and other goodies.

Initially, Apple said that the site, which can only be accessed by paying Apple developers, was “down for maintenance”.

As the downtime continued into the weekend, suspicions were raised that something bad had happened, as unplanned downtime due to maintenance is hardly typical of the Cupertino firms’s normally slick operations.

Now, after some days of silence, Apple has admitted that its systems fell victim to hackers.

Apple Developer Center

Part of the message reads:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

Clearly there was some type of vulnerability on Apple’s Developer website that allowed the hacker to have unauthorised access if the company is concerned that developer information could have been stolen.

According to MacWorld, Apple has confirmed that although developers’ names, addresses and email addresses could have been accessed by the hackers, customer information was not breached and the attackers did not have access to the servers where apps are stored.

It’s obviously disappointing that, “in the spirit of transparency”, Apple didn’t acknowledge the hack earlier – as it could have put users on their guard against possible follow-up attacks against them such as phishing campaigns.

Although it’s easy to feel upset about the tardy way in which Apple has dealt with this security issue publicly, we shouldn’t forget that they are also victims here. An unknown hacker has commited a crime by breaching the company’s systems and accessing the data without permission, and it is to be hoped that Apple is working with the computer crime authorities to bring them to justice.

Since the incident, some users have reported that they have received unauthorized Apple ID password reset emails – although it is unclear whether this is unconnected to the security breach.

Sign up to our free newsletter.
Security news, advice, and tips.

Mac and iOS app developers would be wise to be on their guard about suspicious emails that they receive in the coming days, and – as a precaution that *every* internet user should follow – ensure that every password they use on the internet is unique (no more “same password for different websites”), and hard-to-crack.

Further reading: Was Ibrahim Balic the man who “hacked” Apple’s Developer Center?

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.