|A man looks at his Apple iPad in front an Apple logo outside an Apple store in downtown Shanghai in this March 16, 2012 file photo. REUTERS/Aly Song/Files
A small U.S. tech company said the million Apple IDs released by hackers last week came from its servers, not an FBI laptop as the culprits claimed.
Last week, AntiSec, a group associated with the notorious hacker collective Anonymous, claimed to have found more than 12 million Apple Unique Device Identifiers (UDID) on an FBI laptop, listed alongside user names, device names, phone numbers, addresses and notification tokens.
UDIDs are unique 40-character codes assigned to all Apple devices with cellular connectivity. They're basically serial numbers. All iPhones and iPads have them, and they can never be changed.
While they can be used to track a person's location, social media and app usage, most security experts agree you could not use them to hack a person's phone or install malicious software.
In releasing a million of the IDs online, AntSec posted a scathing statement about the FBI using the data to spy on people.
But the FBI said it never had the UDIDs, and Apple said it never gave any such data to the FBI.
That's because it actually came from the tech firm Blue Toad, its CEO Paul DeHart told NBC News. The company scanned the AntiSec data and compared it to their own and found a 98% correlation.
"That's 100% confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials and we began to take steps to come forward, clear the record and take responsibility for this."
Blue Toad estimates someone stole the data within the last few weeks. Whether it could have ended up on an FBI laptop after it was stolen is not clear.
Apple said the theory the hackers took it from Blue Toad makes much more sense than the claim they found it on an FBI laptop.
"As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," Apple spokeswoman Trudy Mullter told NBC News on Monday. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."