A week after someone purported to be affiliated with the hacker collective Anonymous posted the legitimate ID numbers of one million Apple devices online, claiming to have obtained them and 11 million other Apple device ID numbers from an FBI agent’s laptop, an app publishing company has now stepped forward and confessed to be the original source that obtained and stored the numbers, which it says were stolen from its systems by hackers.
Orlando, Florida-based BlueToad Inc., a digital publishing company that says it is “trusted by over 5,000 publishers with more than 10,000 titles,” confessed in a blog post Monday that it was the original source of the 1 million Apple unique device identifier numbers, or UDIDs, that the self-described hackers posted online on September 3.
Specifically, BlueToad is the developer behind 150 iPad Apps and 139 iPhone Apps, the majority of them digital versions of print magazines including popular titles as “Brides,” “Hunter’s Journal,” and “The Men’s Book,” as well as metropolitan magazines including “Dallas,” “Miami,” “Manhattan,” and “San Francisco,” among many others.
As BlueToad CEO Paul DeHart wrote in an apologetic blog post (which was knocked offline due to a heavy influx of traffic, read a cached version here):
A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet….
We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn’t happen again. In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts.
We sincerely apologize to our partners, clients, publishers, employees and users of our apps. We take information security very seriously and have great respect and appreciation for the public’s concern surrounding app and information privacy.
Further, DeHart stated in his note that his company had complied with Apple’s requirement that third-party apps developers phase out use of the UDID number, which other security researchers have pointed can be linked with other databases of personal information to accurately identify the individual owners of Apple iPad, iPhone and iPod Touch devices, as well as used to access and control certain applications on those devices without authorization.
“BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information,” DeHart wrote.
Speaking on camera to NBC News’ Redtape Chronicles, DeHart added that his analysis found with “100 percent confidence level, it’s our data.”
Visit NBCNews.com for breaking news, world news, and news about the economy
Asked if BlueToad had ever provided the UDID information to the FBI, which the hackers said was the source of the hacked data, DeHart told Redtape Chronicles “No it wasn’t.”
Asked whether anyone else could have given BlueToad’s stored UDIDs to the FBI, DeHart said: “Honestly, I have no idea.”
The FBI, for its part, had earlier told TPM and other reporters that it had “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
DeHart also told Redtape Chronicles that the reason his firm had been alerted to the possibility that they could be behind the trove of UDID data was thanks to a security researcher at mobile security firm Intrepidus Group. David Schuetz, aka “Darth Null,” performed his own analysis on the one million UDIDs the hackers had posted online and contacted BlueToad with his findings that linked the company to the data.
Schuetz described his detective work in a blog post on the Intrepidus Group website, writing in part:
I had decided to look more closely at the most frequently repeated device IDs, on the theory that perhaps that would belong to a developer. They’d naturally test multiple apps for their company, each of which should have a different device token…
By the time I went to bed, I had identified nineteen different devices, each tied to BlueToad in some way. One, appearing four times, is twice named “Hutch” (their CIO), and twice named “Paul’s gift to Brad” (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer.
But as Scheutz noted, some mystery remains, namely — whether or not the FBI had any connection to the leaked devices as the self-described hackers originally suggested. As Schuetz concluded: “I’m still not completely clear on all the technical details. Was BlueToad really the source of the breach? How did the data get to the FBI (if it really did at all)? Or is it possible this is just a secondary breach, not even related to the UDID leak, and it was just a coincidence that I noticed?”
