Apple comments on developer site hack

I spoke with Apple tonight about news that its developer portal was hacked last Thursday by someone attempting to gain access to personal information about the company’s developers. While the company admitted already that the site was breached, there are some important details that you should know.

First of all, this does not affect iTunes customer accounts—this is a different system and all iTunes customer information is completely safe, Apple told me.

It’s also important to note that the hacker did not get access to any app code or even the servers where the app information was stored. The hacker also did not get access to any credit card information.

The only thing that the hacker could have gotten access to was the names, email addresses and mailing addresses of the developers. At this point, Apple doesn’t know if the hacker even managed to see that information. Worst case, that is all the information they would have seen, according to Apple.

Apple has taken the developer site offline and is working to get the site secured before re-launching it. The company had no timetable for when that might happen.



  • Joshua Atkin

    well I know the hacker got my email, because someone attempted to change my password 3 times this weekend

    • rattyuk

      As the site has been down since Thursday would you care to explain how he was doing it?

      • Joshua Atkin

        Apple hasn’t released this information so I cannot :)

        • rattyuk

          I was asking the obvious question – if the site has been down since Thursday how could a “Hacker” attempt to change your password 3 times?

          • julian

            Although the developer site has been down, the Apple ID system, which is based on email addresses, along with its password reset system (iForgot), weren’t down.

    • kurt

      ditto for me!

    • SockRolid

      Me too. But only once, and of course they failed. I knew I set up 2-step authorization for some reason.

      • KarlWa

        Apple’s 2-step authorization works via Find my iPhone messages, so wouldn’t you need an iOS device dedicated to your developer account to use that? I doubt many developers will have it set up on their developer AppleIDs.

        That’s assuming your personal and developer AppleIDs are separate (which is probably a good idea, as this hack shows).

        • Walt French

          Two-factor can be set up on others’ devices. For instance, my wife’s iPhone or iPad can also authorize a change to my AppleID that primarily uses my own iPhone.

          Let me guess that in a month, virtually all developer IDs have a two-factor rule.

    • Bob the Photo

      How can they change your password if they don’t have access to the original?

      • nonprofit_tech

        That’s what password reset is for, on any system. It allows you to reset your password, if you’ve forgotten it (don’t have access to the original). Generally, it just requires you to know the email address and to be able to receive email at that address.

        Basically, it works on the assumption that your email is ‘hopefully’ secure and only accessible by you. If you want more security than that, then 2-step authentication comes into play.

      • mostlyfreeideas

        In a proper secure password system, no one – not even the service provider – can ever access the actual password. Reset it, yes. Know it, no.

    • Justin

      Joshua, the same thing happened to me. Someone tried to change my password 3 times. I guess they got my info as well.

    • Darren Olivier

      That’s concerning, but not proof though. Is your email address publicly visible elsewhere? It’s entirely possible that some people, assuming correctly that Apple’s dev site was down due to a security issue, were trying their luck with password resets in the hope that Apple’s rush might’ve compromised that system too.

      It also may have been a complete coincidence, though that’s less likely.

    • fubar

      I assume you mean someone attempted to change your email password.

      • mostlyfreeideas

        Anyone can initiate a password reset process. Go to https://iforgot.apple.com/iForgot/iForgot.html and type anyone’s valid Apple ID (usually their email address). They will get an email offering them a link to reset their password.

        • fubar

          I was trying to understand whether the hacker was attacking the Apple account or the email account. People are talking about 2 factor authentication which makes it sound like the email a/c was being attacked.

          • fubar

            Oh, Apple has 2FA as well. You live and learn.

    • gjgustav

      Maybe. I get password reset attempts on my email often.

    • Jedike

      Unless you have 3 Apple ID accounts, why would they attempt this 3 times ?

      Just, curious about that …

  • David Stockley

    “First of all, this does not effect iTunes customer accounts”, this should be ‘affect’. Sorry for pointing that out.

    • http://www.loopinsight.com Jim Dalrymple

      Stupid mistake.

      • https://twitter.com/#!/azulum azulum

        Stupid mistakes — there the easiest to make, and so the hardest to keep from happening.

        • http://sharonsharalike.com/ Sharon Sharalike

          I see what you did their.

          • airmanchairman

            Our-ha!

        • chris

          Its they’re, stupd :-)

          • https://twitter.com/#!/azulum azulum

            They’re their, know knead two git nasty.

  • g

    Also in the second to last paragraph “Worse case…” should be ‘worst case’.

    • Andre Richards

      Also in your post, “second to last” should be “second-to-last.” It’s a compound phrase being used as an adjective to modify “paragraph.”

      I mean, if we’re all going to be grammar Nazi a**holes, let’s do it right.

      • http://sharonsharalike.com/ Sharon Sharalike

        He also missed a chance to use the word “penultimate,” which a true grammar and word naz^h^h^hfan should never do.

      • albertkinng

        In a world of: LOL, LMAO, BRB, THX, SMH why bother for grammar errors? My 5 year old daughter can do basic CSS and she is having problems with reading. So, IMHO Please ignore Grammar Errors from now on. Thx

        • The Silver Fox

          “Please ignore Grammar Errors” should not be capitalized ;)

          • albertkinng

            You didn’t get The Joke.

          • The Rone Langer

            No, it’s you who didn’t get the joke.

            Anyway all good.

          • albertkinng

            LOL

          • Walt French

            …an ever-widening circle, it’d seem.

          • The Silver Fox

            I did get the joke, didn’t you see my smiley ?

  • http://www.stuarticus.com/ Stuart Breckenridge

    Joshua Atkin – Could just be coincidence? Brute force attacks are pretty common.

    It’s good to hear that this is being dealt with, infuriating as it maybe.

    Why are they keeping the login screens up though (e.g. on the Dev Forums)??

    • Joshua Atkin

      Well, I don’t think so. In all honesty, since day 1 of my apple account, this has never happened, then it happens 3 times in a short period of time during the time that APple’s developer’s site gets hacked, where they admit its possible he got emails.

      Then again, I don’t really care he has my email or name, it’s plastered on the internet. I just don’t like the idea of someone trying to get into my account

      • julian

        If you haven’t already, maybe get thee to enabling 2-factor ID?

      • RichR67

        Do you have a developer account?

  • lucascott

    Keyword is ATTEMPTED. Not did.

    Although much of the media will leave that bit out or bury it under the fold, cause saying they were gets way more hits

    • SockRolid

      The headlines will read “Did someone steal all Apple developer info?” And the text will contain the word “attempted” somewhere in the 3rd or 4th paragraph. You know, “below the fold.”

  • The White Tiger

    I’m not tremendously concerned about my account security– I’ve got two-step authentication codes and Google Authenticator apps coming out of my ass.

    Humorously, I’m mostly scared about being signed up for (actual, physical) mailing lists with my street address.

  • WellRed

    I am not the most technologically-savvy person out there, but the rebuild described in their email does not seem consistent with the mild breach they are describing.

    Also on Thursday, it was supposed to be fixed by EOD. It’s now Sunday, and I fear it could be a few more days yet.

    Seems kinda fishy, no?

    • http://tewha.net/ Steven Fisher

      Not at all. When a system is breached, you do what you have to do to make it safe.

      I’ve watched people go through this. A day tells you how bad things are. A few days tells you that you can’t fix what’s there; it needs to be replaced fully. A couple weeks lets you replace it.

      Expect replacement. Expect replacement on modern technologies, with modern methods. (Do NOT expect much of a visual difference, though.) Apple can probably replace it more quickly than a couple weeks.

  • boraoku

    Here is a proper news coverage with the video demonstration from the hacker: http://www.ntvmsnbc.com/id/25456264/

    • James Hughes

      Proper if you read Turkish you mean? Also, after translating the page, I do not see how this is any more “proper” than what is being covered here. Are you associated with the site perhaps?

  • albertkinng

    So, this means we need to go back to “Apple is doomed” again? We need to call Wired Magazine and see if they are printing a sacred Apple logo again…

  • glen

    Password change attempts are not evidence of a hacker obtaining your email through this security breach. I have gotten password change attempts 10-20 times over the last few years. It only means that somebody using your email address (which is easily obtainable on lists with millions of others) is trying to access the apple site with it.

    This is akin to people wondering how telescammers got their phone number, they didn’t. Just start with an area code, pick an exchange, then dial 0000, increment and repeat; eventually your number will be called.

  • Whatever

    Apple doesn’t know if the hacker even managed to see that information. – Bullshit, I’m receiving a ton of password change request emails.