The hacking group Anonymous lied when it claimed to have hacked into an FBI agent’s laptop and extracted a file with millions of personal details about Apple users.
The file in fact came from a web publisher called Blue Toad, whose chief executive Paul DeHart said on Monday that the file details of unique device IDs – UDIDs – which were put online match those in a database that the firm has collected from its customers.
DeHart said that the file was copied from the company following a “criminal cyber attack” just over a week ago. That, he said, “resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the internet.”
Blue Toad describes itself as “a Digital Publishing company providing Digital Editions and Apps to publishers worldwide. We utilize Page Flip technology to convert a PDF into an online viewable format.” That matches some of the details in the leaked file, which the Guardian has seen, which include names of people living in France and Europe as well as the US. There would be no reason for the FBI to have details of people living outside the US.
Anonymous had claimed that it had hacked an FBI agent’s laptop using a vulnerability in the Java programming language and copied a file called NFCTA_iOS_devices_intel.csv which contained 12.36m UDIDs, as well as names, phone numbers, and other identifying details.
But it released a file which contained 999,936 entries, and only had the device UDIDs, a string known as a “push token” used to send content to the device, the name given to the device itself (such as “Aaliyah’s iPad”) and the kind of device – either iPhone or iPad.
Unusually, the FBI rebutted the claim within hours, saying on Twitter that the claim was “totally false”. Normally, the agency ignores claims made by hacking crews alleging leaks of information. Apple also later said that the file had not come from it.
Suspicion initially fell on an app called AllClear ID, used to protect personal details and which has connections with the NFCTA, but the company refuted the claim by pointing out that it does not collect UDIDs.
The hack against Blue Toad, while serious, would not have revealed any personal details. The UDID for a device does not identify its user directly. Nor would the “push tokens” in the database be usable to identify a device.
DeHart said in the blog post: “We sincerely apologize to our partners, clients, publishers, employees and users of our apps. We take information security very seriously and have great respect and appreciation for the public’s concern surrounding app and information privacy.”
He added that no other details had been taken besides those shown: “BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information. The illegally obtained information primarily consisted of Apple device names and UDIDs – information that was reported and stored pursuant to commercial industry development practices.”
Apple is phasing out the UDID in the next version of its iPhone and iPad operating system iOS, which is expected to be released later in September with the next version of its iPhone. That is expected to be unveiled on Wednesday.