Amid extended Apple developer site downtime, users report unauthorized password resets

Apple's developer site has been down for two days. Some have experienced password reset emails, which appear to be sent by Apple, but were not authorized — suggesting foul play.

Image: ZDNet

Reports on social networking and microblogging sites may signal security trouble for the iPhone and iPad maker.

Apple's Dev Center, the members' only area for paid developers, has been down for more about two days, for no given reason. Stating, "we'll be back soon," Apple said the site was "undergoing maintenance for an extended period" on Thursday.

Apple's developer entrance site, however, remains up and working fine.

Read this

U.S. government can't intercept iMessage, but it can still serve Apple a search warrant

One U.S. law enforcement agency is struggling to snoop on messages sent by Apple devices, claiming they "cannot be intercepted." But lack of transparency on Apple's part may mean the technology giant is facing an influx of search warrants — and yet we don't know about it.

Read More

Friday rolled on, and the site's outage continued. iOS and OS X developers began to get cranky, particularly during a time in which iOS 7 and OS X Mavericks are in beta and remain eager to get their hands on the latest software bits. 

Existing application developers are unable to access any part of the developer site — including downloads, help, guides, support and crucial developer tools. More worryingly, developers that need peer-support are unable to access Apple's developer forums, where paid application writers discuss all things software.

According to posts on various sites, iTunes Connect and app provisioning are working fine, but the developer portal site appears to be taking the brunt of the issue.

The site's message changed late Friday to state the maintenance is "taking longer than expected." It added: "If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store."

Rumblings across social networks and developer forums point to concern that Apple may have suffered a security breach, similar to an attack on Dropbox last year, which led to a spam attack on many of its users. The logic is that, by putting two and two together, it's clear that any scheduled maintenance would likely not come at a time during beta testing.

Emergency maintenance, such as to patch or fix a security flaw or lapse, could happen at any time and without warning.

Twitter has also been abuzz with reports that users have received password reset emails, including some repeated attempts, as reports from Neowin and Hacker News noted.

(Screenshot: ZDNet, via Twitter)

Not every developer has received Apple password resets — whether authorized by Apple, or sent as a result of an attacker or hacker attempting to reset a developer's password without permission

(We also checked other keywords, such as "google reset" and "microsoft reset," and even "account reset" on social media sites, and nothing appeared particularly out of order or worth standing out.)

A number of Apple developers on Twitter responded when asked if they had received a password reset email. This seems to point towards a spattering of password reset emails rather than Apple forcing its users to change their passwords.

Tumblr co-founder and Instapaper creator Marco Arment said in a tweet on Saturday afternoon: "The longer it goes, the more I believe the security-issue theory."

But if it is a security issue, there still remain unanswered questions over what happened.

Apple, a company that is notoriously secretive, will have to not only admit to its users what happened to cause the outage and downtime, but also explain in precise detail what happened, when, how and ultimately why.

The unauthorized password reset emails that have been landing in inboxes over the past 24 hours are likely nothing to do with a flaw the company patched in March. A flaw in the iForgot password reset system could have allowed an attacker to reset an account with just an email address and date of birth. 

At this point, in true style for the Cupertino, Calif.-based technology giant, it's not saying anything to any effect. We've put in questions to Apple but did not hear back at the time of writing.

Update at July 21 at 9:00 p.m.: Apple has confirmed a security breach. ZDNet's Chris Duckett has more .