App development company Blue Toad has come forward as the likely source of Apple unique device IDs (UDIDs) leaked by hackers last week. In an interview with NBC News, Blue Toad's CEO Paul DeHart says that the company checked the million UDIDs that AntiSec posted against its own database, comparing IDs and other metadata like device names. The correlation was strong enough for a "100 percent confidence level," he says. "It's our data." DeHart declined to specify how the data was taken, citing an ongoing investigation, but he did say it had likely happened in the past two weeks. AntiSec's version of events, by contrast, has the UDIDs taken from an FBI agent's laptop back in March.
Blue Toad has publicly confirmed NBC's report, and DeHart's admission fits with previous statements by Apple and the FBI, denying both that the FBI had access to a UDID library and that Apple had provided it with any information. DeHart, meanwhile, says the company is "pretty apologetic" and that he "had no idea the impact this would ultimately cause." He says that the company stopped collecting UDIDs when Apple suggested it earlier this year, and that it has now stopped storing IDs collected by apps that haven't yet been updated by users. As we mentioned earlier, some of the claims around UDIDs — that, for instance, they can be used to secretly install applications — have been overstated. And if the data indeed came directly from Blue Toad, it would lay to rest the most troubling implication of the leak: that the FBI was collecting device information from millions of Americans.
"I had no idea the impact this would ultimately cause."
Nonetheless, it's not at all clear that Blue Toad was aware of the theft at the time it happened, and it's downplayed the security issues involved. According to NBC, an independent security researcher realized that several devices on AntiSec's list bore names associated with Blue Toad, then contacted the company. Now, Blue Toad says it will not be telling users about the leak directly; it will leave that up to the publishers to which it licenses its services. "I would hate to suggest that [users] need to go out and begin clearing off their device or removing or deleting apps," says DeHart, "just because of the concern that this."
It's still theoretically possible that the data was taken from Blue Toad, posted somewhere else, and then accessed by AntiSec. But in all likelihood, the FBI connection was just a way to get more attention for the story. At this point, what this incident shows is that when mobile apps collect data like UDIDs or address book information, it's not simply an abstract privacy issue. Even if a company is able to "successfully defend against thousands of cyber attacks each day," as Blue Toad claims it does, it's no guarantee that some of the data won't show up online.