Apple UDIDs leaked by Anonymous came from Florida firm, not FBI

Apple didn't cough up its users' device unique identifier codes to the FBI, nor did the FBI's poor security lead to the codes leaking to the Web. Apparently -- get this -- the hackers lied.
Written by Zack Whittaker, Contributor

A small Florida-based publishing firm told NBC News in an exclusive interview that it was in fact the source of the million-record database of unique Apple device identification numbers that were leaked by hackers associated with Anonymous last week.

The Apple UDID leak affected more than 1 million iPhone and iPad users. Image credit: CNET.

The admission by the publishing company's chief executive, BlueToad's Paul DeHart, contradicts claims made by the hacktivist collective that it stole the codes from the U.S. Federal Bureau of Investigation, and exonerating Apple from claims it gave the device codes to the federal law enforcement unit.

DeHart said there was a "98 percent correlation" between its own database of device codes to the ones leaked by the hackers on September 3.

"That's 100 percent confidence level, it's our data," DeHart told the news agency. 

To recap:

AntiSec hackers, a loose-knit group associated with the wider Anonymous collective, claimed last week that it had pilfered more than 12 million Apple iPhone and iPad device identifiers from a FBI laptop. The group then posted 1 million and one device codes to Pastebin, often used by hackers to share exploits and developers to share code alike.

iPhone and iPad unique device identifier (UDID) are often used by developers for analytics, but they can also be used to identify users through surveillance and arguably risk users' privacy.

The FBI swiftly said there was "no evidence" to suggest the data had been stolen from one of the bureau's computers. Questions remained open to whether or not the FBI were telling the whole story, or if Apple had handed over the data as per a law enforcement request.

Normally-secretive Apple, often quiet in the face of controversy, broke its usual silence and said in a statement to AllThingsD that: "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization."

The Cupertino, CA.-based technology giant also said it would do away with UDIDs in the next-generation iPhone and iPad software and would "soon be banning the use of UDID" by developers.

At that point it was, "he said, she said." Nobody knew where the data had come from. Until now.

DeHart said an outside researcher alerted the publishing firm that the data may have come from BlueToad, an app-building company that provides its services to 6,000 publishers, which the company then alerted law enforcement.

He said, "we began to take steps to come forward, clear the record and take responsibility for this," adding that he was "pretty apologetic" to the people who relied on the firm to keep the data secure.

An Apple spokesperson told NBC News that while, "developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer," a company such as BlueToad, "would have access to a user's device information such as UDID, device name and type."

BlueToad said in a public statement that it has "fixed the vulnerability" and is working to ensure that another breach doesn't happen. The firm is working with "an independent and nationally-recognized security assurance company" to assist its efforts.

So there are two things we know: Apple and the FBI are back on the Christmas card lists of the general public, and hackers apparently lie. Who knew? 

Editorial standards