BreachExchange mailing list archives
BlueToad, Inc. responsible for Apple UDID Theft
From: security curmudgeon <jericho () attrition org>
Date: Mon, 10 Sep 2012 11:55:23 -0500 (CDT)
http://blog.bluetoad.com/2012/09/10/statement-from-bluetoad-regarding-the-cyber-attack-suffered-in-the-recent-case-of-stolen-apple-udids/ Statement from BlueToad regarding the cyber attack suffered in the recent case of stolen Apple UDIDs Posted on September 10, 2012 by BlueToad Inc. Written by Paul DeHart, CEO and President A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet. At BlueToad, we understand the importance of protecting the safety and security of information contained on our systems. Although we successfully defend against thousands of cyber attacks each day, this determined criminal attack ultimately resulted in a breach to a portion of our systems. When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to cooperate with their ongoing criminal investigation of the parties responsible for the criminal attack and the posting of the stolen information. We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again. In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts. We sincerely apologize to our partners, clients, publishers, employees and users of our apps. We take information security very seriously and have great respect and appreciation for the public.s concern surrounding app and information privacy. BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information. The illegally obtained information primarily consisted of Apple device names and UDIDs - information that was reported and stored pursuant to commercial industry development practices. Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs. We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base. We understand and respect the privacy concerns surrounding the data that was stolen from our system. BlueToad believes the risk that the stolen data can be used to harm app users is very low. But that certainly doesn't lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it. We will continue to monitor this situation and cooperate with law enforcement in the investigation of the parties responsible for this crime. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- BlueToad, Inc. responsible for Apple UDID Theft security curmudgeon (Sep 11)