Advertisement

SKIP ADVERTISEMENT

Company Says It, Not F.B.I., Was Hacking Victim

A company in Orlando, Fla., said on Monday that it — not the F.B.I. — was the source of a file hackers posted online last week that contained a million identification numbers for Apple mobile devices.

The company, BlueToad, which works with thousands of publishers to translate printed content into digital and mobile formats, said hackers had breached its systems more than a week ago and stolen the file.

A few days after the file appeared online, the company realized that its contents matched the stolen information, said Paul DeHart, BlueToad’s chief executive.

That version of events differs sharply from that put forth by the hackers last week. They claimed to have stolen the file from the laptop of an F.B.I. agent — and they said it was proof that the F.B.I. was tracking people through their iPhones, iPads and iPod Touches. They posted one million identification numbers but claimed to have 11 million more in their possession, along with personal information about the owners of the devices.

A spokesman for the F.B.I. denied last week that the file had been taken from one of its agent’s computers, and an Apple spokeswoman said it had never given any such information to the F.B.I.

Mr. DeHart said in an interview that BlueToad was voluntarily disclosing the theft. “We decided to come forward to apologize to our customers, partners and the public in general that this got out there,” he said. “We face thousands of attacks every day that we’ve been successful at defending. This one happened to get through.”

A security researcher first tipped the company off last week to the fact that hackers might have posted its data, Mr. DeHart said. David Schuetz, a researcher at the Intrepidus Group, a New York-based mobile security firm, mined the data in the hackers’ file for clues to its origin. He noted that several of the identification numbers were linked to device names that referenced Blue-
Toad.

After Mr. Schuetz contacted BlueToad, the company verified the data breach and alerted law enforcement and Apple.

Image
Paul DeHart, BlueToad’s chief, said the company was voluntarily disclosing the theft.Credit...BlueToad

Apple’s unique device identifiers — known as U.D.I.D.’s — are 40-character strings that are tied to a particular device. The company began discouraging app makers from using U.D.I.D.’s last year because developers and advertisers were taking advantage of them to track users as they moved from app to app, compiling a profile of user behavior that could be sold or used for ad targeting.

Trudy Muller, an Apple spokeswoman, said Apple recently introduced a system to replace the use of the U.D.I.D. and would soon be banning apps that tried to exploit them.

“As an app developer BlueToad would have access to a user’s device information, such as U.D.I.D. device name and type,” she said. Ms. Muller noted that developers would not have access to more confidential information like passwords or credit card information, “unless a user specifically elects to provide that information to a developer.”

Mr. DeHart said BlueToad collected U.D.I.D. information to keep count of how many people used its services, but stopped collecting it after Apple discouraged its use last year. He said the stolen file contained identifiers collected by older BlueToad mobile apps, and that BlueToad had “nowhere near” the 12 million identification numbers that hackers claimed to have stolen.

Security researchers debate how much harm can be done using someone’s U.D.I.D. Most say the release of identifiers and device names poses little risk. They said that without more information about device owners — like their e-mail addresses or date of birth — it would be hard for someone to use the data to do harm.

But some researchers disagree with that assessment. Aldo Cortesi, a New Zealand security researcher, has called U.D.I.D.’s a “privacy catastrophe.” Last year, he demonstrated how, in some cases, U.D.I.D.’s could be used to find a person’s identity, determine their location and even hijack their Facebook profile.

Mr. DeHart said in an interview his company thought the data release posed little danger. “We’re aware of the differing opinions out there,” he said. “We have never associated these numbers with other account information and never used them for authentication purposes. We think the overall risk is very low.”

Mr. DeHart said law enforcement officials were still investigating the attack, but suspected that the hackers responsible were different from the hackers who claimed credit for the attack online. “The way we understand it, somebody got into our systems, took the information and, to prove themselves, handed it to this other group who exploited it for their own purposes,” he said.

Peter Donald, an F.B.I. spokesman, declined to comment on BlueToad’s announcement.

AntiSec, the hacking group that said it had taken the file from the F.B.I., is a subset of the loose hacking collective known as Anonymous. The group has frequently gone after the F.B.I. But the frequency of such attacks tapered off in March after several members of Anonymous, and a spinoff group, were arrested.

Messages sent Monday to the Twitter accounts of hackers who had claimed credit for the attack went unanswered.

Nick Bilton contributed reporting.

A version of this article appears in print on  , Section B, Page 2 of the New York edition with the headline: Florida Firm Says It, Not F.B.I., Was Hacking Victim. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT