In reports circulating today, hackers claim to have breached an FBI special agent’s laptop and siphoned data from it. The hackers allege that on the computer they found a database file containing identity information about more than 12 million Apple mobile devices and their users.
But wait. The FBI issued a statement saying it had “no evidence” of the breach or that any such data were sought or obtained by the agency. When I asked a hacker affiliated with AntiSec, the hacking collective claiming responsibility, I was told “there will be no direct comments about the acquisition.”
The origin of the leak now seems sketchy. However, its contents appear to be genuine. Denmark-based security researcher Peter Kruse says he has identified his own iPhone and two iPads stored within the trove.
Among the information stored on the database, the hackers say, is a long list of UDID codes—unique numbers that identify every Apple device, including iPhones and iPads—plus user names, Apple Push Notification Service tokens, ZIP codes, cell phone numbers, and addresses. (Remember UDID codes? Apple began phasing them out after it was revealed last summer that they were sent to app developers without a user’s knowledge.)
In 2011, Aldo Cortesi, CEO of security consultancy Nullcube, found that UDID codes could be used to find “usernames, email addresses, GPS locations, and even Facebook profiles” attached to a phone. Commenting on the leaked data to Techcrunch, Cortesi said, “If your UDID is on the list, you have reason to be very concerned.” On the other hand, Macrumours suggests, “UDIDs themselves are rather harmless in isolation” and pose a privacy risk only when used in conjunction with other information.
Either way, it seems feasible that the huge quantity of data obtained by the hackers could be used for nefarious purposes—and while they may not have come from an FBI laptop, they could hypothetically prove useful to a law enforcement agency. Christopher Soghoian, principal technologist at the ACLU, said having a database of UDID codes might help a law enforcement agency identify people more quickly in the course of investigations, allowing them to obtain data they might have to otherwise wait to obtain from a telecom company.
Even if the information can’t necessarily be used to track movements or log GPS locations, as the hackers have themselves claimed, it’s difficult to think of any justification the FBI or another government agency could have for storing it. According to Soghoian, “If the database is in the possession of law enforcement, it is quite likely that the majority of the people on it have committed no crime and have no business being on any law enforcement database.”
Still, at this point there are—as we journalists like to say—more questions than answers. The hackers themselves are not giving interviews; the FBI is denying the hack took place. Some have cast doubt on the hackers’ claims by suggesting the leak could even be part of an elaborate disinformation plot (presumably to get one over on the FBI for its role in arresting and jailing a number of hackers). Stranger things have happened. The only real certainty is that a large database has been leaked, and if you own any Apple devices, you might be on it. If you’re concerned, you can check here.
