CEO: Hackers stole company’s data, not FBI’s

The unique ID numbers for more than a million Apple devices like iPhones and iPads, posted online last week, were taken from a software company in Florida, not from the FBI, as the hackers who stole them had claimed.

“We do believe someone intentionally targeted our system and took the information,” the company’s boss, Paul DeHart, told NBC News on Monday.

“This is a big deal for us as a company, our credibility is on the line,” said Mr. DeHart, CEO of the Blue Toad publishing company, which helps build many applications, or applications, used by Apple customers on their portable devices.

The ID numbers could be used to impersonate the devices, and allow hackers to access personal information about their owners from the applications they have installed and even break into social media or e-mail accounts, according to privacy researcher Aldo Cortesi.

Mr. Cortesi called the breach a “privacy catastrophe.”

The hackers, who used the name AntiSec, short for “Anti-Security,” said the ID numbers they published came from a trove of more than 12 million IDs and other personal information about the phones’ users that they claimed to have stolen from an FBI laptop in March.

AntiSec is thought to be a splinter group from the leaderless hacker-activist collective known as Anonymous.

The FBI last week denied ever having the data. Pressure on the hackers to provide proof grew after a reporter for the online news outlet Gawker posed in a tutu with a shoe on his head. AntiSec supporters had demanded he do so before they would release any more evidence about the hack.

The hackers’ silence was a damaging blow to their credibility, according to many observers.

“If they truly got control of this FBI agent’s laptop … they should be able to provide more proof,” said Alex Horan, product manager at Boston-based CORE Security Technologies.

The breach underscores the increasing role of mobile Web applications and other third-party software that are designed neither by the phone service provider nor the device manufacturer.

Tens of thousands of applications have been developed for use by mobile devices like smart phones and tablets, many by small, independent developers who may lack the resources or technical know-how to guard their customers’ data.

Blue Toad, the company that says it was the source of the stolen data, provided technical services to application developers, said Ira Victor, a computer forensic specialist with Data Clone Labs.

“It was under-the-hood stuff,” he said of the company’s work, adding that Blue Toad was collecting users’ data on behalf of application developers.

“The user thinks they are giving their data to the [application], but there is this whole chain in the background — more and more companies with access to this kind of data, and the users don’t know all the places that their data ends up,” Mr. Victor said. “People are not giving informed consent to all the places their personal data goes.”