BlueToad, a small US digital publisher and iOS app developer has come forward as the source of the million unique device identifiers (UDIDs) that Anonymous claimed was stolen from an FBI agent’s laptop.
“A little more than a week ago, BlueToad was the victim of a criminal cyber-attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet,” BlueToad CEO and President Paul DeHart said on the company’s blog.
DeHart told <i>NBC News</i> that technicians at the company had downloaded the list of UDIDs released by Anonymous and compared it to its own data. Its analysis found a 98 per cent correlation to the leaked list, all but confirming the list was theirs.
BlueToad cross-checked the UDIDs on the leaked list after David Schuetz, a security researcher from Intrepidus Group, contacted the company and suggested BlueToad could have been the source.
In a Monday blog post Schuetz described identifying BlueToad as the likely source by weeding out frequently repeated UDIDs on the theory that these would belong to a developer.
“They’d naturally test multiple apps for their company, each of which should have a different device token,” wrote Schuetz.
Schuetz had found around 15,000 duplicates amongst the million long list and went on to isolate the “high frequency duplicates”. He found these UDIDs were associated with numerous names, all connected with BlueToad, suggesting that this was the source.
In all Schuetz had identified 19 devices tied to BlueToad, including UDIDs appearing next to the names of key executives of the company, such as the CIO, the CEO and departments within the company. He contacted BlueToad to share his findings.
BlueToad’s DeHart told <i>NBC</i> that his company did not give the UDIDs to the FBI, but that he did not know whether someone else could have given the data to the FBI.
The FBI has previously said there was no evidence the list was taken from its laptops or that it ever had the information.
DeHart said BlueToad did not collect UDIDs anymore, following Apple’s decision to phase out the use of UDIDs.