Digital publisher BlueToad claims to be unwitting source of leaked Apple UDIDs

lulzsec hacker identities apparently outed by rival group computer hackingThe story of the Apple Unique Device Identifiers, or UDID codes, leaked by hacking group Anonymous last week, has taken another turn. This time, rather than blanket denials, someone has owned up to being the unwitting source of the codes themselves. And it’s not the FBI.

NBC reports that the database of one million UDID codes came from BlueToad, a digital publishing company based in Orlando, Florida, that has a library of nearly 150 apps — primarily niche print magazines converted over for digital use — for both the iPhone and the iPad inside the iTunes App Store.

BlueToad’s attention was drawn to the missing UDID’s by security researcher David Schuetz, who documents his sterling work uncovering the source of the leak in a blog post.

He contacted BlueToad and told them of his suspicions, and the company launched an investigation, resulting in a 98-percent correlation between BlueToad’s database and that of the leaked UDIDs.

BlueToad’s CEO, Paul DeHart said “that’s 100-percent confidence level, it’s our data.”

Subsequently, DeHart published a statement on the company’s blog, saying that “a little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet.”

BlueToad is now working with law enforcement agencies in the ongoing investigation into the leak. To help put its business partners and the public’s minds at ease, it says it has fixed the vulnerability that allowed the UDIDs to be stolen, and has stopped storing them inside its database. BlueToad had already followed Apple’s directive to cease reporting UDIDs from its apps.

Case closed?

It would certainly seem so, as both the FBI and Apple have stated the leak didn’t come from them, and BlueToad seems convinced it’s the source. Taken at face value this way, the story now reads that hackers affiliated with Anonymous and working under the Operation AntiSec name, stole UDIDs from BlueToad’s computers, then published them saying they came from a larger file obtained from an FBI Agent’s laptop.

Agent Christopher Stangl was implicated due to his involvement with operations against Anonymous and LulzSec, as proven by his presence during a conference call that Anonymous claimed to have eavesdropped back in March.

After all, the easiest and most logical explanation is most likely true.

However, those who don’t like to connect the dots in this way will undoubtably have alternative theories. For example, the FBI could be working with BlueToad (although we can’t imagine for what reason), or the company is taking the fall — it is after all, completely innocuous — at their behest.

Even David Schuetz isn’t convinced this is the end of the story, and questions whether BlueToad is the original source, or a secondary leak.

A member of Anonymous, seemingly unfazed by the recent developments, took to Twitter to say simply “FBI-notebook – There is still no evidence. Stay tuned.”

For now at least, we’d say the file on this one needs to remain open, but on hold.