Red-Faced Blue Toad Says It’s the Source of Leaked Apple UDIDs
So those 12 million unique ID numbers for iOS devices that hacker collective AntiSec claimed to have pilfered from an FBI laptop? The ones the FBI said it never had in the first place? Looks like they came from a far more innocuous source: A small U.S. publishing firm that is now offering its apologies.
Paul DeHart, CEO of Blue Toad, a Florida publishing house, tells NBC that the list of one million Unique Device Identifiers (UDIDs) that AntiSec published earlier this month almost certainly came from its servers. Indeed, a comparison of the UDIDs on the AntiSec list to the UDIDs that BlueToad, a registered iOS app developer, has stored in one of its databases shows an almost 98 percent correlation between the two data sets.
“That’s 100 percent confidence level, it’s our data,” DeHart told NBC. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”
So how did Blue Toad come by such a vast collection of iOS device UDIDs? Well, as I noted earlier, the company is a registered app developer. And while it’s not a household name, Blue Toad provides app-building services for about 6,000 different publishers, and it currently has 139 iPhone apps and 150 iPad apps available on the iTunes App Store. So it’s certainly plausible that Blue Toad might have a sizable collection of UDIDs. Apple confirmed as much in a statement to AllThingsD.
“As an app developer, BlueToad would have access to a user’s device information such as UDID, device name and type,” Apple spokeswoman Trudy Muller said. “Developers do not have access to users’ account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer.”
Muller added that Apple will soon do away with the UDID entirely, which will presumably bring an end to related security cock-ups like this one. “With iOS 6, we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” she said.