1 million iOS device IDs leaked after alleged FBI laptop hack (Updated)

One million unique device identifiers (UDIDs) from iOS devices have been posted online by hacking group Antisec, who claimed the UDIDs came from an FBI-owned laptop. The group published a file containing the UDIDs—as well as push notification tokens, device names, and more—on Monday evening, promising that there are plenty more entries where that came from. Antisec claims the original file contained roughly 12 million UDID entries—some with very personal data attached, such as full names, cell numbers, and home addresses.

There has been no official confirmation as of yet that Antisec's UDID list indeed came from an FBI laptop, but Antisec claims to have remotely accessed Supervisor Special Agent Christopher K. Stangl's data in March 2012 using a Java vulnerability, AtomicReferenceArray. The AtomicReferenceArray vulnerability in Oracle's Java software framework came to light earlier this year after it was being exploited in attacks that installed malware on end-user machines. Oracle released a patch in February.

That same month, members of the Anonymous hacking collective published a transcript of a conference call between investigators at the FBI and Scotland Yard during which operations against hacktivist group were discussed. About 40 law enforcement agents from various parts of the world participated in the call, which was intercepted after the leaking of an e-mail message sent to all the agents listing the time and code to get in, according to Rob Graham, CEO of penetration testing firm Errata Security.

The group claims to have found a file called "NCFTA_iOS_devices_intel.csv" with a listing of UDIDs for 12,367,232 iOS devices, though not all of them contain the same level of personal information. Antisec claims to have sanitized the 1 million UDIDs that it has chosen to leak publicly to leave the bare minimum for users to find out whether their devices were on the list. "Some devices contained a lot of [personal] info," the group wrote.

The UDID itself is a string of characters that tells Apple and developers which device is uniquely yours in order for them to push alerts to your phone, identify unique users, and so on. It's not the most secret information—your UDID is found on your device itself as well as within iTunes when you click on your device's serial number—and plenty of developers likely already have past app and notification records that include your UDID. Apple, however, began cracking down on developers' use of the UDID as a way to track users since the release of iOS 5 following privacy and security concerns. Apple had warned developers last October that the UDID was being deprecated, and in March of 2012, Apple began rejecting third-party apps that make use of the UDID.

So Apple itself and its developer network no longer relies on the UDID as a way to identify users, but part of the reason Apple did away with the UDID was because some developers were found to have been transmitting personal user data—along with the UDID—back to their own servers. As such, there are numerous apps that might have already collected and stored information like your name, birthdate, where you like to shop, what kind of device you use, and more, all of which may be attached to your UDID. And, for whatever reason, that data may be contained in the file that is believed to have been pieced together by the FBI.

As for why the FBI might have collected this info, there are no answers as of yet. Neither Apple nor the FBI responded to our request for comment by publication time, so the most that can be confirmed now is that there is a list available online with a million UDID entries. (MacRumors claims to have verified, using OpenFeint, that the numbers in the list are at least valid UDIDs.) The type of information available isn't atypical for what a third-party developer might already have on record, but there's no indication about what the FBI might have been doing with such a list. Without further verification on that front, it's not yet safe to assume that Antisec's claims are entirely valid.