Hacker collective Anonymous may not have been truthful about the source of the Apple device identifiers it posted on the web last week. (Shocking, right?) The group claimed the 1 million unique device identifiers (UDIDs) tied to Apple iPhones, iPads and iPods it made public were taken from an FBI agent’s computer, but the FBI denied that outright. On Monday, a Florida company that works with mobile content said it was the source of the UDIDs, according to both NBC News and the New York Times.
The company is called BlueToad, and it builds mobile apps for 6,000 publishers to display their content on mobile devices like Apple’s iOS devices. CEO Paul DeHart said his company compared the file released by the hackers and found a 98 percent match to UDIDs in its own databases, according to NBC’s report. The group published 1 million device IDs, but claimed to have stolen 12 million from the FBI.
DeHart also told the NYT that the 12 million number isn’t correct, and that the theft didn’t occur in March, another claim:
‘We decided to come forward to apologize to our customers, partners and the public in general that this got out there,’ Mr. DeHart said in an interview. ‘We face thousands of attacks every day that we’ve been successful at defending. This one happened to get through.’
Mr. DeHart said his company had contacted law enforcement, as well as Apple, to alert them to the breach and had hired an outside security firm to patch its systems. He said BlueToad had ‘nowhere near’ the 12 million identification numbers that the hackers claimed to have stolen.
Anonymous last week said that part of its aim in posting the UDIDs, besides to illustrate that the FBI might be tracking Americans’ cell phones, was to demonstrate that Apple’s use of the identifiers tied to specific devices, even while anonymized, was a dangerous idea. But even while it appears the group was lying, the point reminded us of the possible privacy invasion resulting from advertisers, app makers, Apple and possibly other organizations having a number that, with a bit of additional information, can reveal the identity of a device’s owner.
Apple denied handing over the UDIDs to law enforcement, but also noted that it intends to do away with the use of UDIDs in favor of a new solution in its next major mobile software update, which should be sometime in the next few weeks.