Not too long ago, hacker Anonymous claimed to have stolen over 12 million UDID's from a hacked FBI laptop. While the FBI and Apple denied the claims, no one was sure where the data actually came from. Blue Toad, a small publishing company in Florida, has stepped forward saying the data was most likely stolen from them.
Paul DeHart, CEO of Blue Toad publishing company, has come forward and stated that they believe the data was actually stolen from them about 2 weeks ago which does not match up with Anonymous stating that the data was stolen back in March.
After they ran the data through their own list of customer UDID's and information, there was a 98% correlation between their data and the leaked data.
"That's 100 percent confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”
An outside researcher, David Schuetz, approached Blue Toad and DeHart after he had found that around 19 of the device UDID's leaked actually belonged to Blue Toad themselves, some of them appearing to be shared among employees. Among the data leaks, the name that a person had given to their iPhone, iPad, or iPod touch would also be given.
Schuetz said that after pouring over the information, he found numerous devices within the data which had names that included the phrase Blue Toad or variations of that, such as “Blue Toad support.” Some of the gadgets’ names also suggested they belonged to various departments within Blue Toad and were shared among multiple employees.
“What I was seeing was that there were-- of the million devices that were in there -- there were a few devices that showed up multiple times with themes that were related to Blue Toad,” he said. “By the time I was done, late Tuesday night, I think I had 19 devices that … all belonged to Blue Toad.,” he said. He contacted the company soon after.
DeHart has said that Blue Toad won't be individually contacting users that were affected but instead leaving it up to individual content providers and publishers to contact individuals if they see a need for it.