A small Florida company has come forward as the source of the 1 million Apple device IDs that were leaked last week by an Anonymous-affiliated hacktivist group. [Hackers leak 1 million Apple device IDs from FBI laptop]
"That's 100 percent confidence level, it's our data," Paul DeHart, chief executive officer of Orlando-based BlueToad Inc., told NBC News.
DeHart told NBC News' Kerry Sanders and Bob Sullivan that his company had found a 98 percent correlation between the leaked data and BlueToad's own database of Apple universal device identifiers (UDIDs).
"As soon as we found out we were involved and victimized, we approached the appropriate law-enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this,” DeHart told NBC News.
David Schuetz, a consultant in the Northern Virginia office of New York-based mobile-security company Intrepidus Group, approached BlueToad last Wednesday (Sept. 5) with evidence that their database was the source of the UDID data dump. Schuetz posted a detailed account of his methods on his company blog.
On Sept. 3, a message in the name of the Anonymous spinoff group Anti-Sec was posted on the online bulletin board Pastebin. It gave instructions for downloading and decrypting a cache of 1,000,001 Apple UDIDs, which the message said had been stolen in March from the laptop of an FBI agent.
DeHart told NBC News that he had no idea whether the data had indeed turned up on an FBI computer, but said that it had been stolen from BlueToad "in the past two weeks." Schuetz, however, mentioned in his blog posting that he'd found online a password-data dump for BlueToad dating from March 14.
Last week, the FBI denied any knowledge of a data breach, and Apple denied it had provided any UDIDs to the FBI.
"I had no idea the impact this would ultimately cause," DeHart told NBC News. "We're pretty apologetic to the people who relied on us to keep this information secure."
BlueToad makes smartphone apps for publishers of traditional printed media, such as newspapers, magazines, brochures and catalogs. It would not name its clients for NBC News.
Apple UDIDs are burned into each iPhone, iPad and iPod Touch. Transmitted over the Internet, they identify specific gadgets to Apple and to iOS app developers.
By themselves, UDIDs should not present any security risk to the owners of the affected devices. But New Zealand-based security researcher Aldo Cortesi last year showed that developers who don't follow Apple's guidelines sometimes post personal user information alongside UDIDs online, allowing third parties to link one set of data to the other.
Apple has cracked down on misuse of UDIDs by developers and will be phasing out their use by apps in iOS 6, its next version of its mobile operating system, due this fall.
Related on SecurityNewsDaily: