Amid Apple developer site outage, users report unauthorized password resets

Reports on social-networking and microblogging sites may signal security trouble for Apple.

Apple's Dev Center, the member's only area for paid developers, has been down for about two days, for no given reason. Stating, "we'll be back soon," Apple said Thursday that the site was "undergoing maintenance for an extended period."

Apple's developer entrance site, however, remains up and working fine.

Friday rolled on, and the site's outage continued. iOS and OS X developers began to get cranky, particularly during a time in which iOS 7 and OS X Mavericks are in beta and developers remain eager to get their hands on the latest software bits. 

Existing application developers are unable to access any part of the developer site -- including downloads, help, guides, support, and crucial developer tools. More worryingly, developers that need peer support are unable to access Apple's developer forums, where paid application writers discuss all things software.

According to posts on various sites, iTunes Connect and app provisioning are working fine, but the developer portal site appears to be taking the brunt of the issue.

The site's message changed late Friday to state the maintenance is "taking longer than expected." It added: "If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store."

Rumblings across social networks and developer forums point to concern that Apple may have suffered a security breach, similar to an attack on Dropbox last year, which led to a spam attack on many of its users. The logic is that any scheduled maintenance would likely not come at a time during beta testing.

Emergency maintenance, such as to patch or fix a security flaw or lapse, could happen at any time and without warning.

Twitter has also been abuzz with reports that users have received password reset e-mails, including some repeated attempts, as reports from Neowin and Hacker News noted.

Not every developer has received an Apple password reset request -- whether authorized by Apple, or sent as a result of an attacker or hacker attempting to reset a developer's password without permission.

(We also checked other keywords, such as "google reset" and "microsoft reset," and even "account reset" on social-media sites, and nothing appeared particularly out of order.)

A number of Apple developers on Twitter responded when asked if they had received a password reset e-mail. This seems to point toward a spattering of password reset e-mails rather than Apple forcing its users to change their passwords.

Tumblr co-founder and Instapaper creator Marco Arment said in a tweet Saturday afternoon: "The longer it goes, the more I believe the security-issue theory."

But if it is a security issue, there still remain unanswered questions over what happened.

Apple, a company that is notoriously secretive, will have to not only admit to its users what happened to cause the outage and downtime but also explain in precise detail what happened, when, how, and ultimately why.

The unauthorized password reset e-mails that have been landing in in-boxes over the past 24 hours likely have nothing to do with a flaw the company patched in March. A flaw in the iForgot password reset system could have allowed an attacker to reset an account with just an e-mail address and date of birth. 

At this point, in true style for the Cupertino, Calif.-based technology giant, it's not saying anything to any effect. We've put in questions to Apple, but did not hear back by publication time.

We'll keep this article updated as and when more comes in.

This story originally appeared as "Amid extended Apple developer site downtime, users report unauthorized password resets" on ZDNet.