App publisher takes blame for massive Apple ID hack

Apple says it never provided ID numbers of iPhones and iPads to the FBI or any other organization.

Story highlights

  • A digital publishing company says it, not the FBI, was the victim of a hack attack
  • The hack last week resulted in the posting online of 1 million Apple user IDs
  • Blue Toad says it's hired a security firm to help ward off attacks
A small digital publishing company said Monday it was the victim of a hack attack that resulted in the posting online of more than 1 million Apple user IDs last week. Hackers had originally claimed to have swiped the IDs from an FBI computer.
BlueToad CEO Paul DeHart told CNN his company was investigating a breach last week at the same time hackers with AntiSec, one of several offshoots associated with the activist group Anonymous, posted the information online.
In a post, AntiSec claimed it had hacked into an FBI agent's laptop, procuring more than 12 million IDs, along with other information such as users' names, cell phone numbers and billing addresses.
The FBI immediately denied any improper access to one of its computers. Apple said last week that it never provided identification numbers of iPhones and iPads to the FBI or any other organization.
DeHart said after several BlueToad identifiers came up in the data that hackers posted online, the company determined that it was the source of the hack.
"Once we realized we were responsible, it was the right thing to do to come forward," DeHart said. "We felt it was important for people to understand that there might be a more legitimate source for that information getting out."
The company immediately contacted Apple and the FBI and hired a security consulting firm to help ward off attacks.
The Apple user IDs, otherwise called Unique Device Identifiers (UDIDs), are relatively innocuous on their own. But if they are combined with other bits of information and are linked with agencies with lower security thresholds, they can possibly be a gateway to more significant data losses.
DeHart said because of the breach, BlueToad has stopped using UDIDs completely. "We still have other apps that haven't been updated but with the urgency of all this, we have discontinued the use of those."
"We don't store any other information that would rise to any other sensitive level, no Social Security numbers or any sort of medical information."
Just under 2 million UDIDs were hacked -- not 12 million, as AntiSec claimed, DeHart said.
In a blog post Monday, he said, "BlueToad believes the risk that the stolen data can be used to harm app users is very low. But that certainly doesn't lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it."
BlueToad's website was sporadically unavailable Monday afternoon.
BlueToad, a privately owned firm based in Orlando, Florida, has 30 employees and works with 5,000 to 6,000 publishers to repurpose their content on various devices.
Although DeHart declined to name BlueToad's publishing clients, the company's work is seen on 100 million page views monthly, he said.
"I would like to think this wouldn't happen again, but with thousands of attacks (daily), this is an evolving, continuing process," he said.