Apple took down its developer portal last week, after an intruder compromised its system and may have accessed developers’ names, addresses and email addresses, the company stated in a notice published on July 21 on its site.
“Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed,” an email sent out by the Cupertino-based company explained. This same message was posted to the developer website, which remains down.
The site was taken down on Thursday as a precaution.
“In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon,” Apple wrote.
While the site is down, developers are unable to download relevant software such as the iOS 7 beta builds, to provision new devices for development, participate in developer forums, and more.
The brute forcing of the password file is a typical danger of such breaches, especially if the victims reused their passwords on other accounts. Yet, while Apple did not specifically mention passwords in its notice, the company stated that sensitive information from the accounts was encrypted and could not be accessed.
A software developer has claimed credit for the breach in the comments section on TechCrunch, posting a video which reportedly showed access to sensitive developer information.
The developer and part-time security researcher named Ibrahim Balic claimed that he had found 13 vulnerabilities in Apple’s site and had reported the issues last week to Apple, resulting in the site being taken down.
The video has since been removed from YouTube and Balic has sent messages to Apple via Twitter and email. The company finally reached out to him on July 23, he said in an email interview with eWEEK.
Balic first reported the issues on July 16, and issued his final report to Apple on July 19, the software developer said. He was able to access more than 100,000 user account details, actually accessing 73 records—all of Apple employees—to demonstrate the vulnerability, he said.
Within hours of his final report, Apple pulled down the site, he claimed.