The hactivist group AntiSec, associated with Anonymous, released a list of one million Apple Unique Device Identifiers (UDIDs) while claiming that it came from a file containing the personal information of 12 million Apple device owners which they hacked from a laptop belonging to an FBI agent. While the one million UDIDs appear to be real, there is not yet evidence to support that other records and compromised data were also obtained or that the data was obtained from the FBI.
According the AntiSec hackers, in March they hacked into a laptop that belonged to an FBI agent from the Regional Cyber Action Team in New York and obtained a file containing records for over 12 million Apple iOS devices including the Unique Device Identifier (UDID) and other associated information such as full names, zip codes, mobile numbers, addresses, type of device and other data. To prove they possessed such a data set the hactivists posted 1 million UDIDs from the stolen data set online, but did not include any other personal information allegedly in the original data set they obtained. The posting of 1 million Apple unique device identifiers is not a major security concern by itself as the unique ID is not identifiable or useful without other accompanying information. But the alleged FBI data set it came from contained name, address and other information associated with the UDID that would put the data breach victims at risk of identity fraud if the full data set is sold or released.
Whether or not the Apple user data really belonged to the FBI may take some time to unfold. The hacker group named a specific FBI agent to whom the hacked laptop belonged, but this person may have been targeted because their name was on an internal FBI email that Anonymous intercepted in early 2012. The hactivists claimed that they released the subset of the hacked data so everyone would know that the FBI may be tracking their devices, but at this point it is uncertain where the data came from or how it was put together. But because only certain data is associated with each Apple UDID, such as a name and phone number or a phone number and email address but not the full name, it seems like data could have been aggregated from multiple sources. Aggregating this data could have been done by the hackers themselves or, as they claim, by the FBI.
For more information: