First, hackers affiliated with Anonymous claimed they’d gained access to the laptop of an FBI agent, along with a database of more than 12 million Apple unique device identifiers. To prove it, they released a redacted list of some 1 million of them.
Then, the FBI denied the claims, and Apple unambiguously said the UDIDs hadn’t come from them. So, obviously, somebody’s wasn’t being entirely honest.
Had Apple and the FBI been cooperating in order to secretly monitor digital communications? That tantalizing possibility of Orwellian conspiracy had pundits aflutter.
Duller than Fiction
Unfortunately, in this case the truth is less exciting than fiction. The likely source of the data was a Florida-based firm called Bluetoad. The company, which develops digital distribution technologies, claims to have created hundreds of iPhone and iPad apps for its customers, on which it publishes some 2,000 titles per month. That’s a lot of publishing, and would be a good reason for it to have such a big list of UDIDs.
Paul DeHart, the company’s CEO, explained in a blog post:
A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet.
DeHart claims that the attack took place on September 3, when hackers managed to obtain around 1 million UDIDs, a far cry from the claimed 12 million.
Bluetoad was notified of a possible breach of its systems by David Shuetz, a security consultant working for Intrepidus Group. In the course of his investigation Shuetz noticed that a number of UDIDs were listed multiple times, and that a number of the devices appeared to be linked to the company. With names like “Bluetoad iPad,” “Client iPad BT” and “BT iPad WiFi,” Bluetoad seemed a logical place to start investigating.
By the time I went to bed [on Tuesday], I had identified nineteen different devices, each tied to BlueToad in some way. One, appearing four times, is twice named ‘Hutch’ (their CIO), and twice named ‘Paul’s gift to Brad’ (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer.
The risk of a similar incident occurring in the future would seem to be minimal. Apple has stopped accepting App Store submissions for apps that access UDIDs and, according to DeHart, BlueToad’s new apps no longer report UDIDs to the company’s servers. He also claims that the company no longer stores UDID information it received from apps that have not been updated.
As far as privacy breaches go, the BlueToad penetration is pretty big. While the hackers don’t seem to have gained access to credit card information, they were able to obtain ZIP codes, cellphone numbers and addresses.