Monday, July 22, 2013

Some see numerous password reset emails after Apple Developer Center hacked

The first thing that came to mind when the Apple Developer Center went down late last week was that Apple was posting a new beta of iOS 7. However, on Sunday the company revealed the real reason: The site had been hacked.

Although Apple said that sensitive personal information was encrypted, the company said that it could not to rule out the possibility that some developers' names, mailing addresses, and/or email addresses were accessed.

The company's statement in emails sent to developers was as follows:
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
The site continued to be down on Monday.

Developers whose memberships may have been set to expire during this timeframe, and who thus cannot renew, have been given a one-week extension on their membership.

It appears that Apple's warning that some information had been lost was a good one: Some users have reported being sent one or more unauthorized password reset emails. Since not everyone has received such an email, it appears that these are the hackers trying to access information, rather than Apple having all developers reset their passwords.

At this rate, though, that -- of course -- may come. In any case, it probably wouldn't be a bad idea for developers to change their passwords, proactively.

No comments: