A Florida company said on Monday that its files – not an FBI agent’s laptop – were hacked by a renegade group that released Apple product identification data it claimed to have obtained through a breach of the nation’s top law enforcement agency.
“We want to apologize, announce what happened and set the record straight,” said Paul DeHart, chief executive officer of software company BlueToad Inc, told Reuters.
FBI spokesman Paul Bresson confirmed to Reuters that “it certainly does appear that BlueToad was where the information was actually compromised.”
BlueToad hosts more than 5,000 worldwide publications including consumer magazines and business documents, and creates apps for its clients. DeHart said the company experiences about 1,000 unsuccessful break-in attempts a day.
DeHart said his company realized it had been hacked soon after the group “AntiSec,” an affiliate of Anonymous, posted a file on the Internet with the identification numbers for what it claimed were 12 million Apple devices on September 3.
Anonymous is one of several loosely affiliated hacking groups that take credit for breaking into government security agencies and major corporations worldwide.
“A third party reached out to us who was examining the list that was on the Internet and said, ‘Hey, we see some connections to you guys,'” DeHart said.
He said his company is cooperating fully with the FBI. For security reasons, he declined to provide details of how they confirmed the data file came from his company.
“We haven’t tied it to a person at least as of yet … but we were able to figure out essentially what happened, tied to a lot of things and we’ve passed that information on (to the FBI),” DeHart said.
He said fewer than 2 million device IDs were obtained by the hackers rather than the 12 million the group claimed. He said his company, which does not collect private information such as Social Security numbers or credit card information, plugged the hole in its security system and has hired a national security firm to perform a complete security analysis.
“The attack that we got was pretty sophisticated, pretty determined,” he said.
DeHart said his company hosts time-embargoed and time-sensitive content that could make it a target of hackers. He also speculated that whoever posted the data on the Internet might have been acting out of a grudge against a hosted publisher, or might be trying to establish their bona fides among the well-known hacking groups.
The Apple ID numbers, called unique device identifiers or UDIDs, are a sequence of letters and numbers assigned to Apple products, such as iPhones or iPads. Many Web-based mobile applications and gaming networks use UDIDs to identify users.
Marc Maiffret, chief technology officer of security firm BeyondTrust, said the data dump itself, while serious, would not prove to be very damaging to consumer privacy, and would not allow hackers to break into peoples’ iPhones.