Apple: dev portal breach hasn’t compromised iTunes accounts or credit cards

dev center down

You’re probably aware by now Apple’s portal for its registered developers has been down since noon on Thursday, July 18. The firm on Sunday updated the standard “we’ll be back soon” message at the service’s landing page to warn the “maintenance will take longer than expected”.

Adding fuel to fire, Apple soon after emailed developers with details on what they revealed as a nasty security breach that may have left some private information exposed. Unfortunately, the company stopped short of detailing precisely what information might have been compromised and how.

Be that as it may, the seeming privacy scare has left many scratching their head over the potential unpleasantries that might transpire next. Apple on its part did confirm the breach won’t affect consumer iTunes account and said no credit card data had been compromised…

In a follow-up article over at TechCrunch, writer Grek Kumparak had reached out to Apple and was able to confirm that:

• The hack only affected developer accounts; standard iTunes accounts were not compromised
• Credit card data was not compromised
• They waited three days to alert developers because they were trying to figure out exactly what data was exposed
• There is no time table yet for when the Dev Center will return

Following the breach, researcher Ibrahim Balic stepped forward to explain he had actually reported 13 bugs plaguing the system to Apple, “one by one” four hours before it took down the website, making him the primary suspect for hacking the Dev Center.

That Twitter lit up with reports of unauthorized password resets some developers had received won’t play to his favor.

“I gave details to Apple as much as I can and I’ve also added screenshots,” Balic said in a video embedded above. One of the bugs enabled him to take users details of 73 Apple Inc. employees so he provided this evidence to Apple as well.

“Four hours later from my final report, Apple developer portal gas closed down and you know it still is,” he said. All told, Balic holds 100,000+ users details, though he said he had informed Apple about this. But the young London-based security researcher is unnerved.

“In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack,” he wrote.

Unsure about the potential legal implications of the breach, he underscores he hasn’t pulled the prank on Apple “to harm or damage”. Instead, his aim was to “report bugs” and collect the data for the purpose of seeing “how deep I can go within this scope”.

A notice on the dev portal acknowledges that “an intruder attempted to secure personal information of our registered developers”. Although Apple assured encrypted personal information cannot be accessed, “in the spirit of transparency” the company cautioned that some developers’ names, mailing addresses, and/or email addresses “may have been accessed”.

dev comment

Although Apple has been “working around the clock” since Thursday, at post time on Monday morning the website was unavailable.

The iPhone maker also promised to extend the program membership to the affected developers. “Your app will remain on the App Store,” the website notice assures.

The now five-day outage couldn’t have come at a worst time.

Developers are in the middle of a major transition as they test their warez against beta builds of iOS 7. Apple’s Dev Center provides access not only to the documentation and knowledge base, it also acts as the central repository for the web tools developers use to sign their code, upload apps to iTunes, manage their account and iAds and more.

The blunder has prompted the company to promise to completely overhaul the portal, update its server software and rebuilding the entire database, which is likely going to take some time.

We’re hoping it goes live later today because a new iOS 7 beta is due soon.