September 04, 2012, 12:55 PM — A group of hackers released a file containing unique identification data for over 1 million Apple iOS devices and claim that the information is part of a larger database stolen from the compromised laptop of an FBI agent.
"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability in Java," the hackers, who claimed affiliation to Anonymous and its Operation Antisec campaign, said Monday in a statement published on Pastebin.
"During the shell session some files were downloaded from his Desktop folder," the hackers said. "One of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc."
As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said.
The FBI declined to comment on the alleged security breach.
However, the leaked UDIDs -- random-looking codes made up of letters and numbers that are unique to every iOS device -- appear to be authentic.
"I have confirmed three of my devices in the leaked data," Peter Kruse, an electronic crime specialist at Denmark-based security firm CSIS Security Group, said Tuesday on Twitter.
A check of a random sample of UDIDs using the publicly accessible API (application programming interface) of OpenFeint, a social networking platform for iOS games, revealed that many of them correspond to devices whose owners have OpenFeint player profiles.
According to security researcher Aldo Cortesi, the founder of New Zealand-based security consultancy firm Nullcube, the leak of UDIDs can have serious privacy implications.
In the past, Cortesi investigated how UDIDs were being used by app developers and what information was being associated with them.
In May 2011, he reported that, when supplied with an UDID, the OpenFeint's API returned GPS coordinates and information that could reveal the user's Facebook profile.
In September 2011, he reported that other popular iOS gaming platforms had similar data leak issues. In one case, a platform's API even allowed attackers to take over a user's Facebook and Twitter account by knowing only their iOS device's UDID.