This article was published on September 10, 2012

Apple device IDs leaked by AntiSec came from publishing app company Blue Toad’s stolen database


Apple device IDs leaked by AntiSec came from publishing app company Blue Toad’s stolen database

The data stolen from a computer somewhere and released by Anonymous AntiSec last week came from publishing company Blue Toad, reports NBC News. Blue Toad CEO Paul DeHart contacted NBC to tell them that it had compared the data to the records on its own servers and that they had a “100 percent confidence level” that it was theirs.

The company had been contacted by an outside researcher named David Schuetz with an alert that it could have come from their devices. They then investigated further and found that there was a 98% correlation between the released data and their own:

“That’s 100 percent confidence level, it’s our data,” DeHart said. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

Apple’s Trudy Muller issued a statement to NBC about the Blue Toad revelation:

As an app developer, BlueToad would have access to a user’s device information such as UDID, device name and type. Developers do not have access to users’ account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer.

Blue Toad is a company that offers several channels that allow publishers to digitally distribute magazines, books and more to various platforms, including apps on the App Store.

The AntiSec group had claimed responsibility for hacking an FBI computer and discovering the UDIDs last week:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached

files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people

The FBI later issued a statement saying that the files did not come from it and that there was ‘no evidence’ that the data had ever even been on one of its computers. Apple followed up by stating that it did not provide the FBI with the data and that it is banning the use of UDIDs in iOS 6 anyway.

Note that the NBC article says things about what you can do with UDIDs that are either not very true or not likely like this: “It could also be used to “push” potentially dangerous applications onto users’ Apple gadgets.”

The fact of the matter is that you can do very little with a UDID alone, and even with some bits of user information, it’s not likely to cause a lot of distress. We’ve built a UDID checker that you can use to see if your device ID was part of this leak (though AntiSec claims to have millions more) but there’s also not a lot you can do about it.

As of now, UDIDs are permanent identifiers that are attached to devices and cannot be reset outside of replacing the device.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top