Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

App maker says leaked Apple IDs came from its database

BlueToad, a Florida-based digital publishing company and app developer has claimed that the list of more than one million Apple IDs leaked by AntiSec, a hacking group affiliated with Anonymous, came from their company database.

On Monday, NBC News reported the admission from BlueToad's CEO Paul DeHart, who said there was a “100 percent confidence level” that the data was stolen from his company.

Last Sunday, Anonymous claimed that the Apple UDIDs, or unique device identifier numbers, it posted online were stolen from an FBI agent's laptop. The IDs allow Apple and app developers, like BlueToad, to identify or track devices running on the iOS platform.

AntiSec said it had a total of 12 million UDIDs, in addition to Apple Push Notification (APN) Service tokens, and personal information of users, such as addresses, cell phone numbers and more, that it decided not to post online.

Soon after the hackers' claims, the FBI released a statement saying there was no evidence that the IDs were requested or obtained by the agency. Apple also denied to various media outlets that it had given user data to the FBI.

While BlueToad's DeHart confirmed the Apple IDs came from his company, NBC News also reported that “he could not rule out the possibility that the data stolen from his company's servers was shared with others, and eventually made its way onto an FBI computer.” 

DeHart, who is still not aware of who stole the Apple user data, was contacted by David Schuetz, a researcher at New York-based mobile security firm Intrepidus Group, who found that BlueToad was the source of the breach by analyzing clues in IDs posted.

Schuetz has written a detailed blog post on how he tracked down the source of the breach.

“I had identified 19 different devices, each tied to BlueToad in some way,” Schuetz wrote. “One, appearing four times, is twice named ‘Hutch' (their CIO), and twice named ‘Paul's gift to Brad' (Paul being the first name of the CEO, and Brad being their chief creative officer).”

On posting the IDs, Anonymous said that, given the fact that Apple was looking into alternatives to UDIDs, the time was fitting for the leak.

Anonymous posted a message Thursday, which emphasized that the group never said Apple gave the information to the FBI.

“We said it was a really bad decision [to] go ahead on the deployment of [the] UDID concept," the message said. "We hope they address this privacy issue as quick they can."

BlueToad told NBC News that it would leave the task of notifying individual consumers impacted by the leak to its publisher clients.

According to its website, the company provides digital editions and mobile apps for publishers so that readers can view digital publications using Flash or HTML, or via iPad and iPhone Apps.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.