A substantial number of applications collect both the phone’s UDID and some form of user login data which ties to a stored user account. These applications, such as Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. This ability, combined with the demonstrated widespread collection of UDID usage data, illustrates the ease of real-time user tracking…. Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies.
In other words, a UDID becomes a kind of super cookie that can never be deleted and is for all practical purposes invisible to users. Apple eventually saw the light last year and began forbidding app makers from accessing UDIDs on iDevices, but not before millions of unique IDs were hoovered up by app makers and their advertising partners.
So it seems clear that the original source of these UDIDs is an app maker. A subsequent tweet from one of the Twitter accounts controlled by Anonymous seems to spell this out:
People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found.
What can a hacker (or a federal agent) do with your UDID by itself? Not much. Combine it with other bits of information about you, though, and it becomes a tool for social engineering. Whoever has this information knows you own an iPhone or an iPad, which makes you more affluent than the average Jane or Joe. They may have your cell phone or email address, allowing them to target you specifically for scams or send you links to malware or phishing sites. Someone with just a little information and malicious intent can do an awful lot of damage if they choose to.
But that isn’t the real crime here. The real crime was Apple’s unique ID scheme, which made something like this possible.