Apple’s developer site was accessed by “an intruder” last Thursday, the company has disclosed, and Apple has not ruled out the possibility that developers’ names, mailing addresses, and/or email addresses were compromised.
The company just sent developers an email explanation, after pushing them off for the past three days with notices that the developer site was down for maintenance.
It appears that the potentially vulnerable names and addresses had not been encrypted. By contrast, Apple says developers’ “sensitive personal information” was encrypted, so it has not been accessed.
Before it reopens the developer site, Apple is “completely overhauling our developer systems, updating our server software, and rebuilding our entire database,” the email said.
Apple spokesman Tom Neumayr said he would not go into further detail about the weakness of the old system or the improvement of the new system, but he noted that no customer information was impacted.
“The website that was breached is not associated with any customer information,” Neumayr said. “Additionally, customer information is securely encrypted.”
The Apple developer site — which allots access to iOS 7, OS X Mavericks and other development kits, helps developers allocate apps to beta testers, and also includes popular developer-only forums — went down Thursday, and was first marked with a notice saying it was down for maintenance.
Later, it was updated with a notice saying, “We apologize that maintenance is taking longer than expected.” Developers were told that their memberships that would have expired during the downtime had been automatically extended.
Extended downtime is rare, and developers had wondered what was up, with some, including Marco Arment, theorizing that there had been some sort of security breach.
Here’s the full notice:
Apple Developer Website Update
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.