Apple takes Dev Center down for days, finally admits, “We got owned!”

What a weekend!

First Ubuntu and now Apple have admitted to large-scale breaches of their user databases.

The Ubuntu Forums hackers called attention to themselves by changing the main screen to a cartoon of an AK-47-wielding penguin, and Canonical owned up as soon as it could.

But Apple’s breach was less obvious at first, with the Developer Center simply going offline with the most generic sort of explanation:

We apologize that maintenance is taking longer than expected.

Apple told developers whose membership would expire during the outage not to worry, giving them a free extension and reassuring them that their apps wouldn’t be ejected from the App Store:

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store.

But as the outage dragged on from last Thursday into the weekend, some observers began to ask if there were more sinister reasons than merely a maintenance window gone wrong.

After all, Apple is one of the massive success stories of the modern cloud economy (iTunes, QED), which makes maintenance alone a decreasingly likely explanation the longer it takes.

It turns out the cynics were right.

Apple’s Developer Centre was penetrated, with Cupertino admitting that the attackers seemed to be after personally identifiable information (PII).

The main developer page looks OK at first sight:

But if you try to click through to any of the developer-specific locations, such as the iOS Dev Center or the Mac Dev Center, you don’t get very far:

The notice, which was also sent by email to registered developers, now admits the reason for the extended maintenance:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Investigating a breach of this sort requires considerable circumspection, not least because you need to make sure that such evidence as you have available for law enforcement is safe and sound before you say too much.

That might explain Apple’s delay in telling it like it is, but I’m still not quite sure how many friends in the developer community Apple will win by invoking “the spirit of transparency” some two-and-a-half days late.

The next part of Apple’s admission, which seems to be intended to explain why actually fixing things is taking longer than might have been expected, says:

In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database.

It sounds slightly worrying to hear that Apple is updating its server software after the incident.

With all of this in mind, here’s what we recommend:

  • Patch early, patch often.
  • Proactive security isn’t just for Windows users.
  • If you suffer a breach, remember that honesty is the best policy, and time is of the essence.

What now?

Well, let’s hope that operating system data breach notifictions aren’t like buses, where you wait a while and then three come at once.

Ubuntu/Linux, then Apple/OS X…who/what, do you think, would be next?