September 10, 2012, 5:14 PM —
We here at TY4NS are shocked – shocked, we tell you – to report that Antisec did not in fact hack an FBI laptop to get at 12 million Apple unique device ID numbers. (See “We know what UDID last summer.”)
It turns out that the source of the stolen UDIDs (Unique Data Item Descriptors) was in fact app developer BlueToad of Orlando, Florida, and that all that talk about 12 million UDIDs was also a load of hooey. Regular readers will recall that this was the theory I posited as the most likely one when I wrote about this last week – an app developer was much more likely to collect UDIDs and also more likely to be vulnerable than a lone FBI agent, though that makes for a much juicier story.
Security researcher David Schuetz made the connection to BlueToad, which provides tools that allow publishers to migrate their print magazines to the iPhone and iPad, after combing through the 1 million UDIDs posted online by Antisec last week, looking for patterns. After locating 15,000 duplicates, he began looking at the names of the devices and discovered many of them assigned to executives at BlueToad.
He contacted the company, and they fessed up to having been hacked recently. In a blog post, BlueToad CEO Paul DeHart wrote:
“A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet…. Although we successfully defend against thousands of cyber attacks each day, this determined criminal attack ultimately resulted in a breach to a portion of our systems…. We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn’t happen again. In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts.”
If BlueToad knew it had been hacked and its UDIDs were stolen, why didn’t it fess up last week and clear this up instead of leaving Apple and the Feds hanging? Why did it take somebody else to figure this out on their behalf? Also: “thousands of cyber attacks a day” on an app maker nobody’s ever heard of? Are things really that Bourne Ultimatimish in the world of third-tier app publishers?