App maker BlueToad, not the FBI, leaked those UDIDs

As suspected, the real source of the stolen Apple iPhone and iPad IDs was an app maker, not the Feds. Pay no attention to the hackers behind the curtain.

We here at TY4NS are shocked – shocked, we tell you – to report that Antisec did not in fact hack an FBI laptop to get at 12 million Apple unique device ID numbers. (See “We know what UDID last summer.”)

It turns out that the source of the stolen UDIDs (Unique Data Item Descriptors) was in fact app developer BlueToad of Orlando, Florida, and that all that talk about 12 million UDIDs was also a load of hooey. Regular readers will recall that this was the theory I posited as the most likely one when I wrote about this last week – an app developer was much more likely to collect UDIDs and also more likely to be vulnerable than a lone FBI agent, though that makes for a much juicier story.

Security researcher David Schuetz made the connection to BlueToad, which provides tools that allow publishers to migrate their print magazines to the iPhone and iPad, after combing through the 1 million UDIDs posted online by Antisec last week, looking for patterns. After locating 15,000 duplicates, he began looking at the names of the devices and discovered many of them assigned to executives at BlueToad.

He contacted the company, and they fessed up to having been hacked recently. In a blog post, BlueToad CEO Paul DeHart wrote:

“A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems.  Shortly thereafter, an unknown group posted these UDIDs on the Internet…. Although we successfully defend against thousands of cyber attacks each day, this determined criminal attack ultimately resulted in a breach to a portion of our systems…. We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn’t happen again.  In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts.”

If BlueToad knew it had been hacked and its UDIDs were stolen, why didn’t it fess up last week and clear this up instead of leaving Apple and the Feds hanging? Why did it take somebody else to figure this out on their behalf? Also: “thousands of cyber attacks a day” on an app maker nobody’s ever heard of? Are things really that Bourne Ultimatimish in the world of third-tier app publishers?

Those are some of the things I’d like to know. (My guess is that they didn’t actually know they were the source of the UDID leak until Schuetz brought it to their attention, but that’s just a guess. If I were Schuetz, I’d be expecting at the very least a bug bounty for the find.)

So today GoDaddy went down for several hours and Anonymous immediately took credit for the hack, allegedly punishing GD for a political stance they took on SOPA, what – nine months ago? Sorry, not buying it. My confidence in the accuracy of Anonymous YouTube rants (now removed) has been permanently shattered.

Hey, if you can’t trust semi-literate hacker/pranksters to tell the truth, who can you trust?

Got a question about social media?  TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog  eSarcasm or follow him on Twitter:  @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on  Twitter and Facebook. 

Now read this:

Facebook's 'man in the middle' attack on our data 

Making Facebook private won't protect you

How to keep hackers out of your Google, Facebook, and Twitter accounts

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon