Hackers Claim FBI Had 12 Million Apple UDIDs

A hacker group has claimed to have obtained personal data from 12 million Apple iPhone and iPad users by breaching an FBI computer, raising concerns about government tracking.

The group called AntiSec, linked to the hacking collective known as Anonymous, posted one million Apple user identifiers claimed to be part of a larger group of 12 million, purportedly obtained from an FBI laptop.

Contacted by AFP, FBI spokeswoman Jenny Shearer said: “We’re not commenting.”

Peter Kruse, an ecrime specialist with CSIS Security Group in Denmark, said on Twitter that the leak “is real” and that he confirmed three of his own devices in the leaked data.

“Also notice that they claim to have fullname, adresses, phone numbers etc… Big ouch!” he tweeted.

Eric Hemmendinger, a security expert with Tata Communications, said the report raises concerns about the protectors of cybersecurity.

“The question is not whether it’s accurate, it is why did the feds have the information and why did they not take due care to secure it,” he told AFP.

Hemmendinger said that based on past reports from Anonymous and related groups, he believes the report is probably true.

“If you work in cybersecurity and your machine gets hacked, that’s a pretty embarrassing scenario,” he said.

Apple did not immediately respond to a request for comment.

Social media and news blogs were aflutter with the news. The tech blog Geekosystem called it “one of the worst privacy disasters yet” and various Twitter comments said the news suggested the FBI is tracking Apple users.

One website set up a database to help users determine if their device was on the hacked list of Apple unique device IDs (UDIDs).

“Quite why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear — but it’s obvious that the data (and the computer it was apparently stored on) was not adequately secured,” said Graham Cluley of the British security firm Sophos.

“My suspicion is that the hackers were more interested in embarrassing the FBI’s team than endangering innocent users. All the same, hacking into computers is a criminal act — and I would anticipate that the FBI and other law enforcement agencies will be keen to hunt down those responsible.”

Others expressed concern about the apparent leak.

“Since UDIDs are unique to each iPhone and iPad, having yours end up in the wrong hands is a concern,” said Josh Ong on the technology blog The Next Web.

“The bigger issue, however, is that they were tied to additional personal information, including user names, device names, notification tokens, cell phone numbers and addresses, that could potentially lead to identity theft.”

Johannes Ullrich of the SANS Internet Storm Center said it was difficult to verify the report.

“There is nothing else in the file that would implicate the FBI. So this data may very well come from another source. But it is not clear who would have a file like this,” he told AFP.

Ullrich said it is unclear why the FBI, if the report were true, would have the data.

“The size of the file… would imply a widespread, not a targeted tracking operation, or the file was just kept in case any of the users in the file needs to be tracked,” he said.

“The significance of this breach very much hinges on the source, which as far as I know, hasn’t been authenticated yet. The data is, however, real based on some of the reports that people do find their own UDID in the file.”