The AntiSec hacking group claims to have released a set of more than 1 million Apple Unique Device Identifiers (UDIDs) obtained from breaching the FBI. The group claims to have over 12 million IDs, as well as personal information such as user names, device names, notification tokens, cell phone numbers and addresses.
(Updated with link below to check whether your device’s UDID was leaked)
The hackers issued a statement with the following description on how the data was obtained:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
They published the UDID numbers to call attention to suspicions that the FBI used the information to track citizens. Much of the personal data has been trimmed, however, with the hackers claiming to have left enough for “a significant amount of users” to search for their devices.
If AntiSec’s account of the breach is accurate, the NCFTA acronym in the filename would likely refer to the National Cyber-Forensics & Training Alliance, a non-profit corporation of experts from both the private and public sector that investigates cyber-crimes.
TNW has contacted the FBI for comment. Meanwhile, AntiSec says it will not provide further statements or interviews until a mysterious request is fulfilled – to have a photo of a Gawker staff writer dressed in a tutu featured on the company’s homepage.
Update: The TNW tech team has built a tool to let you check whether your device was included in the list.
September 4, 2012