The unique identifiers of 1 million Apple iOS devices that hackers leaked last week were stolen from the servers of a Florida-based digital publishing firm called Bluetoad.
Bluetoad develops digital distribution technologies. Its products include custom iOS and Android apps that magazine and newspaper publishers use to distribute their titles to mobile users. The company claims that the hundreds of iPad and iPhone apps it developed for its customers are used to publish more than 2,000 titles in digital format every month.
"A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems," Paul DeHart, CEO and president of Bluetoad, said Monday in a blog post. "Shortly thereafter, an unknown group posted these UDIDs on the Internet."
On Sept. 3, a group of hackers claiming to be affiliated with Anonymous and its Antisec hacking campaign released a file containing 1 million Apple unique device identifiers (UDIDs) together with their corresponding Apple Push Notification Service tokens and device names.
The hackers claimed the leaked data was part of a database of more than 12 million UDIDs, which also included zip codes, cellphone numbers and addresses, that they stole from the compromised laptop of an FBI agent.
The FBI dismissed as false the claim that the laptop of one of its agents had been compromised. The agency said it never sought nor obtained the data released by the hackers.
In describing the theft from its servers, BlueToad downplayed the risk to information types other than UDIDs.
"BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information," DeHart said. "The illegally obtained information primarily consisted of Apple device names and UDIDs -- information that was reported and stored pursuant to commercial industry development practices."
Over the past several years, iOS app developers have used UDIDs to identify and track devices in their systems. Some of them associated UDIDs with other information about device owners and even used these identifiers for user authentication.
Because of the privacy concerns associated with these practices, Apple has started to phase out the use of UDIDs. Since March, the company no longer accepts App Store submissions for apps that access UDIDs.
Bluetoad followed Apple's recommendation, and its new apps no longer report UDIDs back to the company's servers, DeHart said. "We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."
Bluetoad discovered the security breach after David Schuetz, a consultant with mobile security assessment firm Intrepidus Group, informed the company that it might be the source for the leaked UDIDs.
Sign up for Computerworld eNewsletters.