A group identifying itself as members of the AntiSec movement claims to have posted over a million Apple device identifiers they say were stolen from the computer of an FBI agent in March.
AntiSec is the name that members of Anonymous and LulzSec gave to a joint effort against government agencies and prominent businesses in June 2011. The groups, responsible cyber attacks and general mischief against government agencies and companies such as Sony, said then that they would join forces.
“Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments,” LulzSec said in a release at the time.
The group claiming credit for the attack accused the FBI of using the identification numbers to track Apple users. According to a statement posted Monday, the ID numbers are just a fraction of more than 12 million IDs that were reportedly in a file taken from the agent’s computer. The hackers claim (in a statement with objectionable language) that the file also contained data naming the type of device, address of the device owner and cellphone numbers associated with the devices. The file name includes a mention of the “NCFTA” which could stand for the National Cyber-Forensics Training Alliance, an FBI-associated group that was created to proactively address cyber crime.
FBI spokeswoman Jenny Shearer declined to comment on the claims.
The Apple identification numbers listed in the file are not the “Apple IDs” with which users sign into iCloud, iTunes and other services, but the unique device identifiers that developers often ask beta users or others to submit in order to access apps before they’re available on the general App Store. It’s a 40-character string similar to a serial number for iOS devices, and can also be used to track users and target ads.
It’s not clear how the FBI or any non-Apple entity would have gotten the numbers. In discussions on Hacker News, there’s speculation that the most likely explanation is that identification numbers could have been obtained from a developer collecting the information for an app. Apple has begun changing its policy regarding UDIDs, as 9 to 5 Mac has reported, and others have identified that there are certain privacy risks to using the method for tracking.
In a report on Apple’s changing plans, the Wall Street Journal noted that privacy advocates have raised concerns the UDID could be used to identify individual users.
The FBI recently arrested a second suspected member of LulzSec, Reuters reported, in connection to an attack on Sony Pictures Entertainment.