UDID leak source ID'd: BlueToad mobile firm says it was hacked

A small mobile publishing company called BlueToad says the Apple UDIDs leaked last week came from an illegal intrusion into its network last week, an admission that contradicts AntiSec's claims about the FBI.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

A small mobile publishing company said today that it was the source of the large number of unique Apple device IDs leaked to the Internet last week.

BlueToad said in a statement that it was the "victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems." A UDID is a unique device identifier, which Apple has strongly encouraged developers to move away from for privacy reasons.

The disclosure from BlueToad, which is based in Orlando, Fla., adds more details to the timeline of how the UDIDs were obtained and where they came from. A group of hackers loosely associated with Anonymous called AntiSec claimed early last week that it obtained the UDIDs in March 2012 by breaching the security of a Dell notebook used by an FBI supervisor in New York.

The FBI denied the allegations the following day, saying: "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

A computer security professional named David Schuetz independently discovered that BlueToad's database was breached by analyzing the UDIDs from the dump and learning that the most frequently occurring device IDs were associated with BlueToad. Schuetz contacted the company, which responded last Wednesday and asked him to delay disclosing his findings until today.

Schuetz said when doing Internet searches, he "stumbled on a partial password dump" for BlueToad that was "dated March 14, the same week that the hackers claimed they'd hacked into the FBI computer." BlueToad's statement today says the UDID breach happened "a little more than a week ago," making the situation more murky, and implying there may have been multiple breaches.

CNET asked an FBI spokesman for additional information early last week, and never received a response. We've also asked BlueToad to clarify, and will update the article if we hear back from them.

BlueToad's admission brings to an end a flurry of speculation, especially in the privacy and iOS developer communities, over the last week about what company was the original source of the UDID file. After Apple's quick denial that it was the source, informed speculation turned to what app maker saw its UDIDs leaked. Security consultant Aldo Cortesi was close to the mark, writing on September 7 that: "My money is on a third-party service, not a single app."

Paul DeHart, BlueToad's CEO and president, said in a statement today that:

We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again. In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts.

We sincerely apologize to our partners, clients, publishers, employees and users of our apps. We take information security very seriously and have great respect and appreciation for the public's concern surrounding app and information privacy.

BlueToad calls itself "the leading technology provider in the digital publishing industry." It sells services to publishers that allow them to move content to mobile devices, including converting a magazine PDF into a Flash or HTML file or an iOS app.

Last updated at 11:14 a.m. PT