Leaked Apple UDIDs were stolen from digital publishing firm

Digital publishing firm Bluetoad says hackers stole the leaked Apple UDIDs from its servers

The unique identifiers of 1 million Apple iOS devices that hackers leaked last week were stolen from the servers of a Florida-based digital publishing firm called Bluetoad.

Bluetoad develops digital distribution technologies. Its products include custom iOS and Android apps that magazine and newspaper publishers use to distribute their titles to mobile users. The company claims that the hundreds of iPad and iPhone apps it developed for its customers are used to publish more than 2,000 titles in digital format every month.

"A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems," Paul DeHart, CEO and president of Bluetoad, said Monday in a blog post. "Shortly thereafter, an unknown group posted these UDIDs on the Internet."

On Sept. 3, a group of hackers claiming to be affiliated with Anonymous and its Antisec hacking campaign released a file containing 1 million Apple unique device identifiers (UDIDs) together with their corresponding Apple Push Notification Service tokens and device names.

The hackers claimed the leaked data was part of a database of more than 12 million UDIDs, which also included zip codes, cellphone numbers and addresses, that they stole from the compromised laptop of an FBI agent.

The FBI dismissed as false the claim that the laptop of one of its agents had been compromised. The agency said it never sought nor obtained the data released by the hackers.

In describing the theft from its servers, BlueToad downplayed the risk to information types other than UDIDs.

"BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information," DeHart said. "The illegally obtained information primarily consisted of Apple device names and UDIDs -- information that was reported and stored pursuant to commercial industry development practices."

Over the past several years, iOS app developers have used UDIDs to identify and track devices in their systems. Some of them associated UDIDs with other information about device owners and even used these identifiers for user authentication.

Because of the privacy concerns associated with these practices, Apple has started to phase out the use of UDIDs. Since March, the company no longer accepts App Store submissions for apps that access UDIDs.

Bluetoad followed Apple's recommendation, and its new apps no longer report UDIDs back to the company's servers, DeHart said. "We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."

Bluetoad discovered the security breach after David Schuetz, a consultant with mobile security assessment firm Intrepidus Group, informed the company that it might be the source for the leaked UDIDs.

Schuetz started suspecting that the leaked data originated from Bluetoad after finding UDIDs that were listed multiple times in the leaked file and appeared to be linked to the company.

The UDIDs corresponded to devices such as "Bluetoad iPad," "Client iPad BT" and "BT iPad WiFi," and were listed multiple times with different Apple Push Notification Service tokens.

This suggested that those devices were running multiple apps from the same developer -- the developer that was probably the source of the leaked data.

After discovering that Bluetoad is a mobile app developer, Schuetz realized that the listed devices might belong to Bluetoad employees who were testing the company's own apps.

"By the time I went to bed [on Tuesday], I had identified nineteen different devices, each tied to BlueToad in some way," Schuetz wrote Monday in a blog post. "One, appearing four times, is twice named 'Hutch' (their CIO), and twice named 'Paul's gift to Brad' (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer."

Schuetz informed Bluetoad of his findings on Tuesday. The company asked for some time to investigate and confirmed on Friday that it was the source of the leaked data, Schuetz said. The two parties then agreed to make coordinated public disclosures on Monday.

Bluetoad has notified law enforcement about the security breach and is cooperating with their ongoing criminal investigation of the parties responsible, DeHart said.

The company has fixed the vulnerability exploited by the hackers and engaged an independent security assurance company to help it ensure that such an incident doesn't happen again, he said.

"We understand and respect the privacy concerns surrounding the data that was stolen from our system," DeHart said. "BlueToad believes the risk that the stolen data can be used to harm app users is very low."

While some security researchers agree that the privacy risk associated with the leak of Apple UDIDs is low, some claim otherwise.

Some app developers have undisclosed vulnerabilities in their platforms that could allow attackers to extract more user information based on UDIDs, Aldo Cortesi, a security researcher who investigated the privacy risks of UDIDs in the past, said last week. Cortesi called the leak a "privacy catastrophe."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts