Apple ID leak traced back to app developer BlueToad, not FBI

Apple ID leak
Looks like the FBI may be off the hook

The two-week old mystery of where AntiSec obtained the 1 million Apple device IDs it leaked to the Internet has been solved and it appears as if the FBI is off the hook. The real source of the unique device IDs, or UDIDs, is a Florida-based app company called BlueToad.

The hacker group claimed to have lifted the unique iOS device identifiers from an FBI laptop. However, the FBI quickly denied even possessing UDIDs, never mind being the target of a hack via a known Java vulnerability.

Still, this sparked conspiracy fears that made it seem as if the FBI was collecting and storing millions of Apple UDIDs for tracking purposes. AntiSec published more than 1 million of these device identifiers and said that it had 12 million more of them from the same FBI source.

When the FBI strongly rebuffed reports of its involvement, AntiSec said: "The fact that the FBI has no 'evidence' of a data breach on one of their notebooks, does not allow the conclusion that it never happened."

BlueToad, now speaking out, backs up the FBI's account, however.

Leak Source: BlueToad

BlueToad CEO Paul DeHart came forward, telling NBC News that his app publishing company's database was the source of the leaked UDIDs. Forensic analysis by the company shows that a breach occurred "in the past two weeks."

"That's 100 percent confidence level, it's our data," DeHart said after running tests that proved a near-perfect match. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this."

On its website, BlueToad describes itself as a technology provider in the digital publishing industry and has more than 5,000 publisher with more than 10,000 titles. Specific clients were not revealed by DeHart, according to NBC News, but the apologetic CEO did say his business partners do include household names.

We may never know the names of BlueToad's clients. DeHart said that this company won't be informing its app downloaders of the UDID data breach. It's up to the individual clients to inform their readers.

How important are UDIDs?

The only mystery that remains is how important UDIDs are to privacy. DeHart downplayed the potential risk of exposing this information, yet it's enough of a privacy concern that the newest versions of BlueToad's software do not collect this personal information and has been rejecting apps that collect UDIDs since March.

Oddly enough, rallying against UDIDs appears to be AntiSec's objective in all of this. It said in an earlier statement: "We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple. Fishy thingie."

Via The Verge , NBC News

Matt Swider