(CNN) — Apple said Tuesday that a small amount of its employees’ computers had been hacked, but that no data were exposed.
The company said the breach occurred when some employees visited a developer website that exploited a vulnerability in the Java browser plug-in, installing malware on their Mac computers.
“We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple,” the company said in a statement.
Apple did not specify when the hack occurred. The company released a Java patch for OS X users that can be installed from Software Update, and said it’s planning on releasing a tool Tuesday that will sweep Mac computers for any Java malware and remove the offending software. Reuters first reported the breach early Tuesday.
The security breach appears to mirror a similar hack at Facebook in January. On Friday, the social network announced it had been the victim of an intrusion after a handful of employees visited a compromised developer site.
Apple is the latest high-profile American entity to say it was the victim of a recent cyberattack, following similar admissions by Twitter, The New York Times, The Wall Street Journal, The Washington Post and the U.S. Department of Energy. While the news organizations said they believed hackers in China were responsible for their intrusions, Facebook, Twitter and Apple have not mentioned China by name.
Security company Mandiant published a 60-page report Tuesday linking groups of hackers in China to the Chinese government. The cybersecurity company tracked the attacks to specific networks in Shanghai and some to the headquarters of one of China’s secret military groups.
Security holes in Oracle’s Java have been responsible for a number of the recent attacks. The Department of Homeland Security released a warning about the software in January.
Apple pointed out in its statement that Macs running the most recent operating system, OS X Lion, have not come with Java pre-installed and that the computers automatically disable the plug-in after 35-days of inactivity.