Although Antisec claimed that they Jason Bourne-d a laptop last week in order to leak 1 million UDIDs and device names, the truth is far more mundane and yet far more interesting.
As we learned yesterday, the hacked data came from an app publisher called BlueToad. The company had recently suffered a digital break-in that exposed their customer list.
How BlueToad was implicated is the real story here, however. On the day of the leak, a programmer, David Schuetz, was checking out the data and began to sort it for duplicates. After a bit of futzing, he found some interesting entries. Some device IDs appeared multiple times.
10 d1f575954
10 aa5c7aedb
8 12e6ec97e
7 f661c1396
7 4225e2a59
6 91a83b0e3
6 480074431
Correlating those the device names, he found some interesting data. Assuming this was a corporate leak, most of the devices would be related to the source. They were:
‘Bluetoad iPad’
‘Client iPad BT’
‘Client iPad BT’
‘CSR/Marketing iPad’
‘CSR/Marketing iPad’
‘Jessica Aslanian’s iPad’
This meant that one device was in the database multiple times for multiple apps, suggesting that these were corporate devices for testing. As he dug further, he decided that BlueToad was the source and he quietly contacted the company.
Luckily, the CEO was more than willing to discuss the leak and reacted quickly:
What did we learn from this? First, if it sounds too cool to be true, (an FBI agent’s laptop leaked 12 million Apple UDIDs supplied by Apple itself in an effort to track us all!) it probably is, and that all it takes is a dedicated programmer with a command line to get to the bottom of some of the biggest hacks ever perpetrated by bored high school students.