Anonymous hackers associated with AntiSec made headlines last week after members of the collective extracted and posted at least a million ID numbers associated with various Apple mobile devices.
At the time, Anonymous said it had collected the IDs from the computer of an FBI agent. The agency vehemently denied the incident, leading to an escalating war of words between AntiSec and the federal law enforcement agency.
Interestingly, a Florida-based company based in Orlando known as BlueToad is now claiming that it – rather than the FBI – was the true source of the data breach.
According to the New York Times, BlueToad works with thousands of publishers to translate printed content into digital and mobile formats.
“We decided to come forward to apologize to our customers, partners and the public in general that this got out there. [Remember], we face thousands of attacks every day that we’ve been successful at defending. This one happened to get through,” BlueToad CEO Paul DeHart told the Times in a recent interview.
”The way we understand it, somebody got into our systems, took the information and, to prove themselves, handed it to this other group who exploited it for their own purposes.”
However, DeHart was sure to emphasize that BlueToad had “nowhere near” the 12 million ID numbers that Anonymous claims to have in its possession.
Meanwhile, Apple spokesperson Trudy Muller confirmed Cupertino had already introduced a new system to replace the use of U.D.I.D. and would soon be banning apps that tried to use them.
“As an app developer, BlueToad would have access to a user’s device information, such as U.D.I.D. device name and type,” said Muller, who was also quick to point out that developers don’t have access to more sensitive data like passwords or credit card information “unless a user specifically elects to provide that information.”
Similarly, DeHart said BlueToad reengineered its code to halt the collection of identifiers after Apple discouraged their use last year. The stolen apps supposedly contained only three pieces of information: the identifier, the type of device used and the names that owners gave their devices, like “Paul’s iPad.”
Although a number of security experts said the extracted information posed little risk, New Zealand security researcher Aldo Cortesi managed to find a method for linking the UDIDs with users’ real-world identities – and in some cases of sloppy app development even taking over their gaming, Twitter, or Facebook accounts using only the UDID.