Apple device IDs hack traced to app publisher BlueToad


Digital publisher BlueToad revealed it was recently hacked by cyber criminals, resulting in the theft of roughly a million unique Apple (NASDAQ:AAPL) device identifiers leaked to the Internet last week.

"Although we successfully defend against thousands of cyber attacks each day, this determined criminal attack ultimately resulted in a breach to a portion of our systems," said BlueToad CEO and president Paul DeHart. "When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to cooperate with their ongoing criminal investigation of the parties responsible for the criminal attack and the posting of the stolen information. We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again."

According to DeHart, BlueToad--which leverages its Page Flip technology to convert PDF content into digital formats including iOS and Android applications--does not collect and has never collected consumer information like credit cards, social security numbers or medical information. "The illegally obtained information primarily consisted of Apple device names and UDID--information that was reported and stored pursuant to commercial industry development practices," he said. "Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs.  We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."

Hacker group AntiSec leaked the Apple UDIDs (alphanumeric strings unique to each Apple device) last week, originally claiming the data was obtained in March 2012 by breaching a Dell notebook owned by a Federal Bureau of Investigation supervisor. The FBI denied the allegations, saying: "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

Apple also denied releasing the UDID list to the FBI or any other source. An Apple spokesperson told The Wall Street Journal that the company is aware BlueToad is the source of the leak and said that its new iOS 6 mobile operating system overhaul will eliminate the use of UDIDs, citing concerns over how the data is being used to track users and tie their devices to other personal information. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer," Apple said.

For more:
- read this BlueToad blog entry
- read this Wall Street Journal article

Related articles:
Apple beefs up user privacy controls for iOS 6
Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps
Apple, Google consent to mobile app privacy accord
FTC to Apple, Google: Apps for kids must disclose data privacy practices
Amid privacy uproar, Apple promises to detail app permissions
Path admits mistake, allows users to opt out of contacts database