Amid extended Apple developer site downtime, users report unauthorized password resets

Amid extended Apple developer site downtime, users report unauthorized password resets

Summary: Apple's developer site has been down for two days. Some have experienced password reset emails, which appear to be sent by Apple, but were not authorized — suggesting foul play.

SHARE:
TOPICS: Apple, Security
16
dev-center-down
(Image: ZDNet)

Reports on social networking and microblogging sites may signal security trouble for the iPhone and iPad maker.

Apple's Dev Center, the members' only area for paid developers, has been down for more about two days, for no given reason. Stating, "we'll be back soon," Apple said the site was "undergoing maintenance for an extended period" on Thursday.

Apple's developer entrance site, however, remains up and working fine.

Friday rolled on, and the site's outage continued. iOS and OS X developers began to get cranky, particularly during a time in which iOS 7 and OS X Mavericks are in beta and remain eager to get their hands on the latest software bits. 

Existing application developers are unable to access any part of the developer site — including downloads, help, guides, support and crucial developer tools. More worryingly, developers that need peer-support are unable to access Apple's developer forums, where paid application writers discuss all things software.

According to posts on various sites, iTunes Connect and app provisioning are working fine, but the developer portal site appears to be taking the brunt of the issue.

The site's message changed late Friday to state the maintenance is "taking longer than expected." It added: "If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store."

Rumblings across social networks and developer forums point to concern that Apple may have suffered a security breach, similar to an attack on Dropbox last year, which led to a spam attack on many of its users. The logic is that, by putting two and two together, it's clear that any scheduled maintenance would likely not come at a time during beta testing.

Emergency maintenance, such as to patch or fix a security flaw or lapse, could happen at any time and without warning.

Twitter has also been abuzz with reports that users have received password reset emails, including some repeated attempts, as reports from Neowin and Hacker News noted.

re-upload
(Screenshot: ZDNet, via Twitter)

Not every developer has received Apple password resets — whether authorized by Apple, or sent as a result of an attacker or hacker attempting to reset a developer's password without permission

(We also checked other keywords, such as "google reset" and "microsoft reset," and even "account reset" on social media sites, and nothing appeared particularly out of order or worth standing out.)

A number of Apple developers on Twitter responded when asked if they had received a password reset email. This seems to point towards a spattering of password reset emails rather than Apple forcing its users to change their passwords.

Tumblr co-founder and Instapaper creator Marco Arment said in a tweet on Saturday afternoon: "The longer it goes, the more I believe the security-issue theory."


But if it is a security issue, there still remain unanswered questions over what happened.

Apple, a company that is notoriously secretive, will have to not only admit to its users what happened to cause the outage and downtime, but also explain in precise detail what happened, when, how and ultimately why.

The unauthorized password reset emails that have been landing in inboxes over the past 24 hours are likely nothing to do with a flaw the company patched in March. A flaw in the iForgot password reset system could have allowed an attacker to reset an account with just an email address and date of birth. 

At this point, in true style for the Cupertino, Calif.-based technology giant, it's not saying anything to any effect. We've put in questions to Apple but did not hear back at the time of writing.

Update at July 21 at 9:00 p.m.: Apple has confirmed a security breach. ZDNet's Chris Duckett has more.

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Hmm

    Haven't gotten one yet, but thanks for the heads up!
    Mac_PC_FenceSitter
  • Let's hope the root certificates were compromised

    Scramble apple, like the convicted market manipulator that you are.

    Scramble apple devs, for supporting a convicted market manipulator.

    Meanwhile, I'm munching on my popcorn.

    *munch* *munch*
    toddbottom3
    • so true ha ha. I was also munching popcorn

      during that multi-day cloud outage MS had a few months ago. they're both unethical companies so I love the popcorn during times like this.
      drwong
    • If I were to avoid convicted market manipulators

      I'd have to give up the two platforms I DO develop for, and switch to Linux. Not much fun - I prefer xcode and Visual Studio.
      Mac_PC_FenceSitter
    • Don't choke on your popcorn

      Feeling a bit of schadenfreude, are we? Guess you'll be feeling smug and chuckling hard choking on you popcorn over the Ubuntu forums being hacked and all the usernames and passwords being stolen. Canonical after all is just another evil corporation worthy of your scorn. It is in the nature of corporations law; if a corporation was a person, they'd be a psychopath. Freeing ebooks from Amazon's monopolistic stranglehold was a good thing, regardless whether the publishers charge too much.
      msandersen
    • sorry

      "Scramble apple devs, for supporting a convicted market manipulator."
      But this is stupid. One has to suffer because he/she chosen a platform to work with?
      spicycheeks
  • It's not a bug...

    ... It's a feature. Or you could just be using it wrong.

    (Sorry, couldn't resist)
    The one and only, Cylon Centurion
    • May be

      Those who got the reset mails might have given email IDs that are not up to Apple's standards :-D

      How dare they are to choose email id of their choice? Apple knows much better.

      (Not a useful post. But, Since I hate Apple much, I couldn't resist either :-P)
      spicycheeks
      • You always choose you own ID, same as on iTunes. That you hate a consumer electronics company is just pathetic as there are far better things to direct your scorn against.
        msandersen
  • while you're waiting

    Check out Azure support for iOS

    http://www.windowsazure.com/en-us/solutions/mobile/
    hubivedder
  • Still down?

    And the app store was down for a while too?

    What kind of Mickey Mouse OS is apple using over there?

    Oh.
    toddbottom3
    • You may not like the answer

      You do know that Apple's infrastructure is in no small part on Azure, right?

      http://www.zdnet.com/blog/microsoft/is-apple-really-using-windows-azure-to-power-icloud/9687

      Their server systems are not OS X.... Apple got rid of the server version a while back.
      Mac_PC_FenceSitter
      • Did you actually read the article?

        icloud is on Azure.

        icloud is working just fine.

        Kudos Azure.

        And wow, apple not even confident enough to run their own systems on osx. Stunning news. Since not even apple trusts osx then neither do I.

        Thanks Mac_PC_FenceSitter.
        toddbottom3
  • shocking

    It is shocking that even supposed hardciore MS supporter doesn't even know what is Azure.

    Windows Azure is a cloud computing platform and infrastructure. It provides both platform as a service (PaaS) and infrastructure as a service (IaaS) services

    Essentially I can be hosting Linux and even MacOSX on Azure. And Apple is using Linux on iCloud
    ThinkFairer8
  • deeper issues

    Not only have I started getting password reset emails in the past couple days, they are going to an account that is not a dev account. (my OTHER apple account is, and that email address got apple's heads' up email about the incident)

    As of this morning, I have even received an email with *someone else's* name in the body.

    Examined it up and down, it is absolutely from Apple. Links are legitimate.

    Went and logged into that Apple ID, password still works, my name is still correct on the site. I don't think Apple is being completely honest.
    FasterTTW