Apple Developer site hacked - What to do to stay safe

Apple's Developer Portal has suffered a major security breach, with the hacker responsible claiming to have obtained the private details of over 100,000 users. A few hours after the breach, Apple closed down their developer portal while they carried out their investigation and improved security.

The stolen details are believed to include developers' names, email addresses and passwords.

If you have an Apple Developers account here's the 5 things you should do to keep yourself protected:

1. Change your Apple Developer password
2. If you use the same password on other sites change it on those too
3. Make your new password(s) strong
4. Never use the same password on different websites
5. Be wary of phishing emails asking you to log into Apple and change your password.

Apple's Statement:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store. If you have any other concerns about your account, please contact us.

Thank you for your patience.

 

Good Practice

A hacking incident like this demonstrates the importance of not only using strong passwords, but using different passwords for all of your online accounts. Apple will not have stored its users' passwords in plaintext, but even hashed, salted passwords can be cracked relatively quickly if they're not strong. When LinkedIn was hacked last year, 60% of the 6.5 million stolen hashed passwords were cracked within a couple of days.

Using different passwords on all of your websites isolates your exposure should one site be compromised. With email addresses being stolen along with the Apple passwords, it's easy to imagine a hacker trying out the same password on the associated email account. Are any of your email account passwords the same as the passwords you use elsewhere?

A Password Manager such as my1login will generate strong, complex passwords for you, and because you no longer have to remember them, you have the freedom to make all of your passwords unique, building a fortress around you or your company's online identity. my1login uses client-side encryption meaning that even my1login can't see the passwords you store. It's totally impossible to decrypt your encrypted passwords without the key, which is not stored by my1login and known only to you.

Further Reading:

• The Guardian's take on the Apple hack
• How to avoid weak passwords and weak password practices
• The problem with using the same password for everything