Skip to main content

Apple UDIDs were stolen from publishing firm, not FBI

A recent leak of Apple user IDs (UDIDs) was created via the hack of a Florida publishing firm, not an FBI laptop.

In a Monday blog post, Paul DeHart, CEO and president of BlueToad, said his company "was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems."

Earlier this month, more than 1 million of those UDIDs were posted online by members of the Anonymous hacker collective. The group claimed they had been obtained from an FBI computer, prompting questions about why the agency was in possession of this data. The FBI, however, released a statement shortly afterwards and said there was "no evidence" that the UDIDs were obtained from an FBI computer.

As first reported by NBC News, Anonymous targeted Blue Toad, not the FBI.

Blue Toad's DeHart said his systems were hit by a "determined criminal attack" that successfully "resulted in a breach to a portion of our systems."

"When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to cooperate with their ongoing criminal investigation of the parties responsible for the criminal attack and the posting of the stolen information," he continued.

DeHart said that Blue Toad has fixed the vulnerability that allowed hackers to access its database, and has hired a security firm to "ensure that a security breach doesn't happen again."

DeHart said the Apple data "was reported and stored pursuant to commercial industry development practices." Several months ago, however, Apple contacted Blue Toad and recommended that it modify its code to stop the practice of reporting UDIDs.

"We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base," DeHart wrote. "BlueToad believes the risk that the stolen data can be used to harm app users is very low."

BlueToad describes itself as a digital publishing company that provides digital editions and apps to publishers worldwide.

Back in June, there were reports that Apple had found a way to let app developers track their app users without running afoul of privacy protections.