Last Thursday iOS developers have been unable to login to Apple’s Developers Portal. Most people assumed it was maintenance or a simple website upgrade. As it would have it, hackers broke into the website and stole an indeterminate amount of data.
Apple said in a statement “Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.”
“In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”
The online break-in did not effect account data, such as passwords, because they are hashed with encryption. But credit-cards are the big one you have to keep in plaintext. If you want to bill the card without asking for the number to be reentered, there’s no way to avoid storing the number and expiration date. PCI does mandate that you keep less than necessary to initiate a new charge, though: you are not allowed to store the 3-digit verification code from the back of the card. Names, Addresses and email addresses are also not encrypted and many users have been getting emails about password resets, as the hackers try and take over a massive amount of accounts.
Techcrunch confirmed just now that “The hack only affected developer accounts; standard iTunes accounts were not compromised Credit card data was not compromised They waited three days to alert developers because they were trying to figure out exactly what data was exposed There is no time table yet for when the Dev Center will return”