UDID leak source IDed: BlueToad mobile firm says it was hacked

A small mobile publishing company called BlueToad has said that the Apple UDIDs that were leaked last week came from an illegal intrusion into its network — an admission that contradicts AntiSec's claims about the FBI.

(Credit: BlueToad)

BlueToad said in a statement that it was the "victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems". A UDID is a unique device identifier, which Apple has strongly encouraged developers to move away from for privacy reasons.

The disclosure from BlueToad, which is based in Orlando, Florida, adds more details to the timeline of how the UDIDs were obtained, and where they came from. AntiSec, a group of hackers loosely associated with Anonymous, claimed early last week that it obtained the UDIDs in March 2012 by breaching the security of a Dell notebook used by an FBI supervisor in New York.

The FBI denied the allegations on the following day, saying: "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

A computer security professional named David Schuetz independently discovered that BlueToad's database was breached by analysing the UDIDs from the dump and learning that the most frequently occurring device IDs were associated with BlueToad. Schuetz contacted the company, which responded last Wednesday and asked him to delay disclosing his findings until Monday.

Schuetz said when doing internet searches, he "stumbled on a partial password dump" for BlueToad that was "dated 14 March, the same week that the hackers claimed they'd hacked into the FBI computer". BlueToad's statement said that the UDID breach happened "a little more than a week ago", making the situation more murky and implying that there may have been multiple breaches.

CNET asked an FBI spokesman for additional information early last week, but never received a response. We've also asked BlueToad to clarify, and will update the article if we hear back from the company.

BlueToad's admission brings to an end a flurry of speculation, especially in the privacy and iOS developer communities, over the last week about what company was the original source of the UDID file. After Apple's quick denial that it was the source, informed speculation turned to what app maker saw its UDIDs leaked. Security consultant Aldo Cortesi was close to the mark, writing on 7 September, "My money is on a third-party service, not a single app."

Paul DeHart, BlueToad's CEO and president, said in a statement on Monday:

We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again. In doing so, we have engaged an independent and nationally recognised security assurance company to assist in our ongoing efforts.

We sincerely apologise to our partners, clients, publishers, employees and users of our apps. We take information security very seriously and have great respect and appreciation for the public's concern surrounding app and information privacy.

BlueToad calls itself "the leading technology provider in the digital publishing industry". It sells services to publishers that allow them to move content to mobile devices, including converting a magazine PDF into a Flash or HTML file or an iOS app.

Via CNET.com

Add Your Comment


Be the first to comment on this story!

Post comment as

Sponsored Links

Recently Viewed Products