Apple's developer website hacked, personal information 'may have been accessed'

Updated 10:55 PM with another message from Apple

Apple’s developer website, which has experienced some significant downtime this past week, has been hacked.

Update: “white hat” hacker claims responsibility

Apple released the information just a few moments ago in an email to registered developers, saying that sensitive emails, names, and physical addresses could have been compromised, and that it took the website down on Thursday to prevent any further damage:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

The last time Apple’s developer website went down, it was due to a rush on the company’s iOS 7 beta release in early June. This week’s outage, however, was longer-lived — for much of a day — and for a much more damaging reason.

Previous Apple hacks have all been clientside, often through vulnerabilities in the Java software the company used to ship with OS X, and occasionally via social-engineering attacks on iCloud passwords. This is potentially a much more serious issue, as there are 300,000 iOS developers in the U.S. alone, and probably well over a million globally.

Apple is a tempting target not just for its developers, but also for its users.

iCloud and iTunes have over 300 million accounts, all with juicy credit card information. An attacker who could penetrate Apple’s security in one place — the developer site, for instance — might be able to penetrate Apple’s security in other places. I’ve contacted Apple for more information on what the company is doing to protect those users and to ensure that none of their information has been affected.

Apple’s worst fear, of course, might be that hackers could gain access to its app store or the signing credential technology that certified iPhone apps as safe, known, and malware-free. Google recently had a major scare of exactly that category — which it so far appears to have been able to contain — and the last thing Apple wants is for its iPhone-buying public to consider the iOS ecosystem anywhere near as malware-laden as Android sometimes appears to be.

The front page of the site is currently live, but developers attempting to log into the site will find this message:

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.