FBI Not Source Of Apple UDID Leak: BlueToad Admits Leak

Digital publishing company BlueToad says data breach resulted in leak of millions of UDIDs

Dark Reading Staff, Dark Reading

September 10, 2012

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Digital publishing company BlueToad says it was the source of a data breach that resulted in the theft of device identification data belonging to millions of Apple users -- not the FBI.

Last week, hackers with a group known as AntiSec claimed to have gained access to an FBI computer and stolen 12 million UDIDs, or unique device identifiers. UDIDs identify a particular iOS device, such as an iPhone or iPod.

According to Paul DeHart, CEO of BlueToad, the company contacted law enforcement once it determined it was the likely source of the leaked information.

"We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again," he said in a blog post.

The company was notified that it was the possible source by David Schuetz, a security consultant with the Intrepidus Group, who analyzed the roughly 1 million UDIDs that had been posted online and linked them to BlueToad. His investigation is detailed on the Intrepidus Group's blog.

AntiSec's claims that an FBI computer had been hacked were denied last week by the law enforcement agency, which stated that there was no evidence that an FBI laptop was compromised or that the agency had sought or obtained Apple UDIDs. Apple has also publicly denied giving the information to the FBI, and said the agency never requested it.

Apple began rejecting apps that access UDIDs earlier this year after warning app developers in 2011 that it would be phasing out the ability with the introduction of iOS 5. The move followed the eruption of controversy regarding the use of UDIDs by advertisers for tracking purposes.

According to DeHart, BlueToad stored UDIDs "pursuant to commercial industry development practices."

"Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs," he wrote. "We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."

"We understand and respect the privacy concerns surrounding the data that was stolen from our system," DeHart added. "BlueToad believes the risk that the stolen data can be used to harm app users is very low. But that certainly doesn't lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it."

As of publication, the BlueToad website appears to have gone down.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights