Last week AntiSec claimed that it hacked into an FBI agent's laptop and obtained over 12 million Apple UDIDs. The FBI followed up by claiming that it didn't have the supposed information -- Apple confirmed the FBI's excuse, reporting that it never released the information to the government. Now a small Florida publishing company has stepped forward claiming itself as the source of the leak.
In an exclusive report by NBC News, BlueToad CEO Paul DeHart admitted that his own technicians downloaded the data released by AntiSec – a list of 1 million UDIDs – and compared it to the company's own database. The analysis found a 98-percent correlation between the two datasets.
"That's 100-percent confidence level, it's our data," DeHart told NBC News. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this."
According to DeHart, BlueToad provides private-label digital edition and app-building services to 6,000 different publishers, and serves up 100 million page views each month. DeHart wouldn't reveal just who those business partners are, but said many of his clients are household names. As of this writing, the BlueToad website is actually down.
DeHard said that his company downloaded the leaked AntiSec data after an outside researcher named David Schuetz speculated that the data originated from the publisher's database. Without revealing additional details, DeHard admitted that the company's forensic analysis showed that the data had actually been obtained over the past two weeks.
"I had no idea the impact this would ultimately cause,” DeHart continued. “We're pretty apologetic to the people who relied on us to keep this information secure."
The question now is: who took the data? It's possible that the data was yanked from one of the company's servers and shared with others, eventually landing on the FBI agent's laptop. Now there are doubts that the data was even pulled from an agent's laptop as the FBI stated, or that the information was obtained back in March.
"Timing-wise, (their) story doesn't make sense," he said.
Apple spokeswoman Trudy Mullter told NBC News on Monday that as an app developer, BlueToad would definitely have access to a user's device information such as UDID, device name and type. But what they don't have is access to the user's account information, passwords or credit card information unless the information is willingly offered by the device owner.
The researcher who figured out that the data belonged to BlueToad, David Schuetz, told NBC News that he figured out the source based on clues within the data. "I spent most of Tuesday evening obsessing over this," said Schuetz, adding that numerous devices listed within the data included the phrase BlueToad or variations of the name. Some of the listed gadgets even suggested that they were owned by BlueToad employees.
"By the time I was done, late Tuesday night, I think I had 19 devices that … all belonged to BlueToad," he said.
