Florida Digital Publisher Says It’s the Source of Apple UDID Leak

The chief executive of a Florida-based digital publisher said Monday he believes his company is the source of a data leak of a million Apple unique device IDs — not the FBI as a hacktivist group claimed.

The chief executive of a Florida-based digital publisher said Monday he believes his company is the source of a data leak of a million Apple unique device IDs — not the FBI as a hacktivist group claimed.

“A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems.  Shortly thereafter, an unknown group posted these UDIDs on the Internet,” Paul DeHart, CEO and president of BlueToad, said in a blog post.

The Antisec arm of the collective Anonymous published the UDIDs of just over 1 million Apple devices; the published data did not contain personal information such as names, cell phone numbers or addresses.

The group claimed on Pastebin that it stole more than 12 million UDIDs from an FBI agent’s compromised laptop last spring. However, the FBI maintained it never held such data and denied Anonymous’s claim it stole the information from one of its agents’ laptops.

DeHart said Monday his company, which provides digital editions of publications to view via iPad and iPhone apps, immediately notified authorities once it discovered it was the likely source of the data breach. It’s since fixed the vulnerability that was exploited and hired an outside security firm to help ensure another heist doesn’t happen.

“BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information.  The illegally obtained information primarily consisted of Apple device names and UDIDs – information that was reported and stored pursuant to commercial industry development practices,” DeHart wrote.  

“Upon Apple’s recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs.  We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base.”  

DeHart said the company believes there’s little change of the stolen data being used to harm its application users. “But that certainly doesn’t lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it.”

 

Suggested articles