A warning for Apple Developers [UPDATED]

Late last week Apple’s developer member center was hacked and as a precaution it was shut down. Today Apple confirmed the suspicions many have already had for a few days (as developers started receiving password reset emails most realized something wasn’t right) and released a statement. Though sensitive personal information has not been accessed because it was encrypted, some other personal information may have been.

As names, mailing addresses and/or email addresses may have been compromised I urge every developer to keep a very close eye on their email. This information is great to have for phishers and can be used to craft very good phishing (or spear phishing) emails. Unfortunately you won’t know if a phishing attack will happen tomorrow, next month, next year or never but your information may be out there now so better safe than sorry.

Any email you receive that asks for/mentions/involves names, passwords or financial information of any kind should be scrutinized. Check URL’s by hovering your mouse over them before clicking or go to the website directly (preferred). For example if you receive an email from PayPal, instead of clicking any links in the email just open your browser and visit paypal.com yourself.

Here are some more tips on how to spot phishing emails:
>> E-Mail Security
>> Using OS X Mail to spot phishing emails

Though this is far less common, your mailing address may be used as well. Receive requests or blank checks in the mail from your bank etc. call the bank to confirm.

[UPDATE] Apple has begun sending emails to developers letting them know what is going on.

[UPDATE] A fellow named Ibrahim Balic left a comment on techcrunch.com stating the following:

Accompanied by a link to a youtube video he made: http://www.youtube.com/watch?v=q000_EOWy80&feature=youtu.be

At this point it is unsure if his bug discovery (and exploit to prove the bug was real) is the cause for the Developer Center being shut down or if someone else got into their systems. Ibrahim Balic states not to have any malicious intent and that all collected data will be erased. Unfortunately though no malicious intent is intended, the youtube video did show 11 names and email addresses (some partially covered but easy to guess). If your name (and email address) was one shown in the video, keep an eye out for spam and phishing and until it is confirmed that this was indeed the hack that caused the shutdown every developer should keep an eye out for spam and phishing as mentioned above.

Comments on the video youtube and the techcrunch post show a mix of understanding people and the kind of idiots that can be found anywhere else. Before you grab a pitchfork and set out for Mr. Balic, keep in mind that (if it is him that caused this) I’d rather have him find this bug than a black-hat cracker that is after this data for other reasons. Crackers are needed to find vulnerabilities like these before someone with malicious intent does. Of course there is a right and a wrong way of doing and presenting research like this but again, rather him than China 🙂

Comments are welcome.