An Orlando, Fla., company said on Monday that it — not the F.B.I. — was the source of a file hackers posted online last week that contained a million identification numbers for Apple mobile devices.
The company, BlueToad, which works with thousands of publishers to translate printed content into digital and mobile formats, said hackers had breached its systems more than a week ago and stolen the file. A few days after the file appeared online, the company realized it matched the stolen information, said Paul DeHart, BlueToad’s chief executive.
That version of events differs sharply from that put forth by the hackers last week. They claimed to have stolen the file from the laptop of an F.B.I. agent — and they said it was proof that the F.B.I. was tracking people through their iPhones, iPads and iPod Touches. They posted one million identification numbers but claimed to have 11 million more in their possession.
A spokesman for the F.B.I. denied last week that the file had been taken from one of its agent’s computers, and an Apple spokeswoman said it had never given any such information to the F.B.I.
“We decided to come forward to apologize to our customers, partners and the public in general that this got out there,” Mr. DeHart said in an interview. “We face thousands of attacks every day that we’ve been successful at defending. This one happened to get through.”
Mr. DeHart said his company had contacted law enforcement, as well as Apple, to alert them to the breach and had hired an outside security firm to patch its systems. He said BlueToad had “nowhere near” the 12 million identification numbers that the hackers claimed to have stolen.
Apple’s unique device identifiers — known as U.D.I.D.’s — are 40-character strings that are tied to a particular device. Apple started to discourage app makers from using U.D.I.D.’s last year after learning that developers and advertisers could use them to track users as they moved from app to app, compiling a profile of user behavior that could be sold or used for ad targeting.
Trudy Muller, an Apple spokeswoman, said Apple recently introduced a new system to replace the use of the U.D.I.D. and would soon be banning apps that tried to use them. “As an app developer, BlueToad would have access to a user’s device information, such as U.D.I.D. device name and type,” she said. Ms. Muller noted that developers would not have access to more sensitive information like passwords or credit card information, “unless a user specifically elects to provide that information to a developer.”
Mr. DeHart said BlueToad collected U.D.I.D. information to keep count of how many people used its services, but reengineered its code to stop collecting identifiers after Apple discouraged their use last year. He said the stolen file contained identifiers collected by older BlueToad mobile apps. That file, he said, contained only three pieces of information: the identifier, the type of device used and the names that owners gave their devices, like “Paul’s iPad.”
Security experts said the release of that information posed little risk. They said that without more information about device owners — like their e-mail addresses or date of birth — it would be hard for someone to use the data to do harm.
Mr. DeHart said law enforcement officials were still investigating the attack, but suspected that the hackers who conducted the attack were different from the ones who claimed credit for it online. “The way we understand it, somebody got into our systems, took the information and, to prove themselves, handed it to this other group who exploited it for their own purposes,” he said.
AntiSec, the hacking group that said it had taken the file from the F.B.I., is a subset of the loose hacking collective known as Anonymous. The group has frequently aimed at the F.B.I. Last February, hackers intercepted a call between law enforcement agents at the bureau and Scotland Yard. But the frequency of such attacks tapered off in March after several members of Anonymous and a spinoff group, LulzSec, were arrested with the help of another hacker turned F.B.I. informant.
Peter Donald, an F.B.I. spokesman, declined to comment on BlueToad’s announcement.
To comment, the following rules must be followed:
Comments may be monitored for inappropriate content, but the station is under no legal obligation to do so.
If you believe a comment violates the above rules, please use the Flagging Tool to alert a Moderator.
Flagging does not guarantee removal.
Multiple violations may result in account suspension.
Decisions to suspend or unsuspend accounts are made by Station Moderators.
Questions may be sent to firstname.lastname@example.org. Please provide detailed information.