The threat actor known as IntelBroker on criminal forums has previously claimed to have obtained data from breaches involving Europol and AMD.
IntelBroker posted on X (formerly Twitter) about accessing the source code of three internal tools used at Apple, including a single sign-on authentication system called AppleConnect. Following this post, the IntelBroker account was suspended.
However, Dark Web Informer, a dark web threat intelligence account, reiterated the claim. It shared a screenshot from a criminal forum showing the tools listed as AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin.
In a BreachForums post, IntelBroker stated, “I’m releasing the internal source code to three of Apple’s commonly used tools for their internal site, thanks for reading and enjoy!”
An analysis by the security team at cybersecurity consultancy AHCTS revealed that the leaked code is not the source code of the internal tools themselves but rather “proprietary internal plugins and configurations” used “to connect Apple proprietary authentication systems to Atlassian Jira and Confluence for Single Sign On authentication within the Apple corporate network.”
AHCTS’s highly technical analysis concludes that the leak of these custom plugins “poses significant cybersecurity risks,” though no Apple end-user products or services are impacted. AHCTS indicated that the detailed configurations and sensitive information contained within the code could “potentially be exploited by malicious actors.”