September 4, 2012
A hacktivist group associated with Anonymous claims it has lifted over 12 million Apple Unique Device Identifiers (UDIDs) from an FBI computer and released 1 million of them as an archive. The leaked data includes names, phone numbers and addresses.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” boasts the hacking group.
AntiSec’s archive lists 100,000,001profiles including user names, devices cell phone numbers and addresses. The data was originally picked from Apple iOS devices, namely iPhones, iPads and iPods.
Anonymous and Co. enjoy interfering with the US Federal Investigative Bureau; several arrests in their ranks have only boosted the hactivists’ efforts to that end. The group has even been reported to have eavesdropped on the FBI’s anti-Anonymous meeting.
The group’s cause is to attract users’ attention to the possibility the FBI might be breaking into computers to track them. Exposing hundreds of personal IDs, AntiSec says they seek to make a wider and lingering impression.
“We have learnt it seems quite clear nobody pays attention if you just come and say ‘Hey, FBI is using your device details and info’,” the group posted.
Web discussions following the leak immediately took on a degree of astonishment mingled with anger.
“What’s the FBI doing with over 12 million iPhone user details? Mass tracking & surveillance? Are there no more limits?” Kim Dotcom, a co-founder of the Megaupload resource, told his Twitter followers.
Not all of the stolen data was exposed, though. In the message describing the results of the original lift, AntiSec provides a much longer list of personal details.
“During the shell session some files were downloaded from [Stangl’s] Desktop folder; one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cell phone numbers, addresses, etc.”
On the other hand, experts point out that the stolen data would make a valuable gain for spammers and “phishers”. The exposed users may fall victims of a targeted campaign and receive fraud links in emails designed to look as if they come from Apple. Public profiles and even credit card details may get stolen as a result.