A small Florida online publishing company named Blue Toad has inserted itself into last week’s Anonymous/AntiSec-FBI story about an iOS data leak — making an already murky story even murkier. And while everyone likes a good crime story, this latest twist just underscores how affected users are the ones left holding the bag.

If you’re just catching up to this story: Last week, AntiSec, an offshoot of the well-known Anonymous “hacktivist” group, publicly released information on 1 million Apple device users. In their statement, they claimed it was a subset of information from 12,367,232 Apple iOS devices obtained in a file named “NCFTA_iOS_devices_intel.csv.” They went on to claim that they got this file through an attack using a Java vulnerability against an FBI Supervisor Special Agent carried out in March 2012. They claimed the information they obtained contained “[Apple iOS] Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

However, they said, in the subset of information that they published, they stripped out personal data such as “full names, cell numbers, addresses, zipcodes” leaving only enough for people to be able identify their device if present.

With this information out there, third parties started to speculate on the validity of the claims and what they might mean if valid. The “NCFTA” in the alleged file name was quickly associated with the National Cyber-Forensics & Training Alliance, a public/private alliance focused on helping to coordinate and share knowledge and information around cyber crime threats. The FBI denied categorically that they ever had the data or that they had been attacked. Apple too broke their usual playbook of not commenting on security to say that “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.”

But denials are to be expected in situations like this, so the rumor and speculation mill has been running rampant on the idea that this might be evidence of domestic surveillance being carried out by the FBI.

It’s not uncommon for AntiSec/Anonymous to make big claims, and for government agencies to deny them — leaving the rest of us to guess whom to believe or not. And that would be the end of this story except for what happened this weekend.

Kerry Sanders and Bob Sullivan over at the Redtape Chronicles at NBC News obtained an exclusive interview with Paul DeHart, the CEO of Blue Toad Publishing, who came forward to claim that the data released most likely came from their systems.

DeHart tells NBC News that they first became aware that they could be the source when an outside security consultant named David Scheutz came to them saying his analysis suggested that the data came from them (you can read Scheutz’s analysis here). DeHart goes on to say that they launched an investigation suggesting that the data had been taken “in the past two weeks” but wouldn’t say any more due to the ongoing investigation.

A third-party coming forward proactively to dispute the claims of the source of a data leak, and claim the leak as theirs is certainly a new twist: I can’t recall the last time I saw this. In claiming the data was taken from their systems, Blue Toad is indirectly refuting AntiSec’s claims and implying AntiSec fabricated the FBI and the NCFTA angle entirely.

While this has made the question of where the data came from even murkier than before (or is usual in these Anonymous-related cases) it’s also made the question of “who had my information in the first place?” no less clear for affected users.

Blue Toad is a company few have heard of. They note that they are “a Digital Publishing company providing Digital Editions and Mobile Apps to publishers worldwide.” Basically, they provide third-party platform support to other publishers. You’re not a Blue Toad customer, you’re a customer of their customer (their site notes they are “[t]rusted by over 30 resellers, 5,000 publishers, and 10,000 titles.”). Assuming the Blue Toad claims are accurate and they lost the data, from the standpoint of those affected by this data breach this is a situation similar to the Episilon data breach in April 2011. Here, like there, you have people who are affected by a data breach at a company they likely have never heard of. And based on DeHart’s comments, like with Episilon, Blue Toad has no intention of notifying those affected directly, leaving it instead to the publishers (its customers) to handle.

This leaves iOS users in the unenviable position of not knowing if they’re affected or to what degree. There are sites that can let you try to look up your UDID to see if you’re affected, but one should always be wary of third-party sites. And as Gizmodo notes, just because your UDID doesn’t comes up doesn’t mean that your data isn’t out there. AntiSec claimed 12 million records and Blue Toad hasn’t disputed that particular piece of information (at least not yet).

While the AntiSec-FBI/NCFTA angle makes for good fuel for conspiracy theories and the information from Blue Toad can play into that, the most important story here is that, yet again, we have a data breach where affected users are left to fend for themselves, and all of us are left to wonder if we’re in that pool of affected users.

Christopher Budd is a freelance writer and independent consultant in the areas of online security and privacy, social media, incident response and crisis communications. A ten-year veteran of the Microsoft Security Response Center (MSRC), he combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on Twitter.

Comments

  • guest

    Weird when a company coming forward and doing the right thing is cause for even more speculation.

    • http://www.christopherbudd.com Christopher Budd

      I agree, but that’s what happens when you put Anonymous/AntiSec in the mix. Things get weird!

  • Marc

    This article is the best commentary on this event that I’ve read. Dozens of tech publications are taking Blue Toad at its word, plus I haven’t seen a single journalist ask “what was Blue Toad doing with millions of Apple UDIDs?”

    • http://www.christopherbudd.com Christopher Budd

      Thanks so much for the kind words. Much appreciated. I was mainly moved to write because I’m concerned that, taking Blue Toad at their word, the AntiSec/FBI angle obscures the very real data breach story buried in here.

      And I think it’s poor handling to leave the users in the lurch. The right thing to do is if you lost the data, you lead the notification. Maybe in conjunction with your customers but still you lead.

    • guest

      Maybe that’s because they can’t figure out a reason Blue Toad would want to come forward and associate their name with a data breech and have no evidence to prove some tinfoil hat theory of collusion with the Feds, so instead don’t openly speculate about it? And if you haven’t found the answer to why they had the UDIDs, you didn’t look very hard: they’re a developer with nearly 300 iPhone and iPad apps.

  • Guest

    Blue Toad produces apps for magazine publishers. If big names (and I’m making these up) like Time or the Wall Street Journal use Blue Toad’s hosted services, it’s plausible that their databases could contain between 1 and 12 million rows of Apple UDIDs and tokens.

    The other case to consider is, what if all parties are telling the truth? Here’s one scenario where that could be the case: hacker X steals this data from Blue Toad. Hacker X is being investigated or caught by the FBI, and this file becomes evidence (what it’s doing on a FBI agent’s laptop is a serious question, but let’s set it aside). The FBI may not have even known where Hacker X got the file or can’t tell Blue Toad because they’re after bigger fish. Antisec hacks it from the FBI agent’s (personal?) computer and leaks it publicly.

    • http://www.christopherbudd.com Christopher Budd

      You know, that is a really fascinating angle that I hadn’t thought of.

      All the more so since people are generally inclined to disbelieve all the parties involved for various reasons.

  • marc

    That is an interesting angle. Even if true, the bigger story is that this many UDIDs are floating around. I’m no security expert, just a Geekwire reader. The premise behind this story is that it is a bad thing for millions of UDIDs to be available to hackers. If Blue Toad has them, then who else has them or can get them? Can they be legally traded or sold? Are they traded or sold? That is the story.

    Whether the FBI may or may not have them is separate. If the UDIDs can be traded or sold then we have to assume the domestic spy agencies have them, in the same fashion that they routinely buy phone call data from the carriers. The founders of our country would (and did) rebel at that – but it is a separate story.

    • http://www.christopherbudd.com Christopher Budd

      It’s not just the UDID’s per se, it’s those plus the additional data. AntiSec claimed they had 12 million records with “[Apple iOS] Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

      Regardless of where they got the data, this comes back to my point about why Blue Toad coming forward doesn’t actually make life any better for folks. All they’ve said is that the data came from them. They haven’t given any clarity about what was stolen or how much (since AntiSec claims the data they posted is a subset of what they’re holding).

      If we look past the AntiSec/FBI claim as a distraction, what we have is a data breach with not a lot of information being given to those who’s data has been lost. And that’s a problem in my opinion.

  • Joe Deasy

    I dont find anything mysterious about data leaks from Apple mobile devices. What is mysterious is why people are so willing to install 3rd party apps without knowing who made those apps, what data they collect, where they store that data, and what they plan to do with it.

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.