12 Million Apple Unique Device Identifiers Exposed After FBI Laptop Compromise
More than 12 million Apple accounts, along with UDIDs, cell number, addresses, and notification tokens have been snatched from under FBI’s nose following an epic laptop breach through a Java exploit.
A hacker group, apparently affiliated with Anonymous, dumped one million records on the web in multiple locations after removing sensitive information such as user’s full name, address or cell phone number. According to the early note posted on Pastebin, the cyber-criminal group got the data straight from the compromised computer of an FBI agent.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” reads the pastie. “[…] during the shell session some files were downloaded from his Desktop folder (,) one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices”.
Unique Device Identifiers, or UDIDs, are numbers that identify Apple devices and link them to application installations. They are used by third-party developers to track installations across the Apple customer base. It is unknown why the FBI maintained a list of Apple customers or how they got possession of the data, but the attackers believe the information on file was being used in a federal Apple customer tracking project.
Note: Controversy on how iOS apps handle user privacy broke out when Bitdefender’s Clueful was pulled from Apple’s App store. Launched again as a web service, Clueful provides detailed information on what data might be accessed and broadcasted to remote servers, without users’ knowledge. UDIDs along with location tracking data or the unsecure handling of user credentials are only a few security issues analyzed by the web app.