The list of more than a million unique device identifiers (UDIDs) which hacktivist collective #Antisec said it had stolen from the Federal Bureau of Investigation may have originated from publishing company BlueToad Inc., researcher David Schuetz found over the weekend. Following the FBI's initial denial of #Antisec's claims and Schuetz's research, BlueToad on Monday announced it believed its systems were the ones compromised. It is still unclear who compromised Blue Toad's system, and where #Antisec actually obtained the list.
"I’m still not completely clear on all the technical details," Schuetz wrote in his research blog. "Was BlueToad really the source of the breach? How did the data get to the FBI (if it really did at all)? Or is it possible this is just a secondary breach, not even related to the UDID leak, and it was just a coincidence that I noticed? Finally, why haven’t I noticed any of their applications in the (very few) lists of apps I’ve received?"
NBC News asked BlueToad's CEO Paul DeHart if there was any reason somebody else would have stolen the list and given it to the FBI. DeHart said he had no idea.
#Antisec said it had obtained a list of more than 12 million UDIDs, but released only the million-and-one as a first taste. DeHart said it was "standard Apple protocol" to collect UDIDs from app downloaders, but the company said it had "far fewer" than 12 million UDIDs in its database.
Furthermore, the company said it is no longer participating in the practice since Apple began phasing out their use of UDIDs one year ago.
So it is entirely possible that #Antisec simply compromised the small-time Florida publishing company and called it an FBI security breach to appear more fearsome than it actually is. To prove otherwise, the group would have to show some more of its cards and release a further list of UDIDs.
Photo Credit: arindambanerjee/Shutterstock