12 million iOS unique device identifiers (UDID) reportedly hacked from FBI laptop

Over 12 million unique device identifiers (UDID), and related, personally-identifiable information, for iPhones, iPod touches, and iPads have reportedly been hacked from an FBI laptop using a Java vulnerability. AntiSec has released 1 million of the UDIDs as proof of the hack, along with a statement that includes the following:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

UDIDs are used by developers to register devices with Apple's iTunes Connect so they can run beta versions of iOS and test ad-hoc versions of their apps prior to release. While some developers also used to use them to identify users and their devices, Apple has now disallowed that practice.

No accounts or passwords appear to have been compromised, so for users this is more of a privacy issue than a security issue. Any single piece of identifying information, be it a UDID number or a cell phone number, when combined with a sufficiently large pool of data and the right kind of analytics, can be used to create profiles and assess patterns.

AntiSec says they released the information to draw attention to what they claim is the FBI's collection of it.

You can read more of AntiSec's statement, and find the list of disclosed UDIDs, via the link below.

Source: AntiSec

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, ZEN and TECH, MacBreak Weekly. Cook, grappler, photon wrangler. Follow him on Twitter, App.net, Google+.

More Posts



← Previously

BBC iPlayer update coming today, will finally allow on-device downloads

Next up →

Deal of the Day: 47% off Incipio Hive Honeycomb dermaSHOT Silicone Case for The new iPad and iPad 2

There are 35 comments. Add yours.

mrod79 says:

Why the hell does the FBI have the UDID's????????
Who else has them?

Dark_Blu says:

THE ENEMY has them. And now all your data are belong to us. LOL!!!!

Stewartj1 says:

My big concern is HOW did the "nonprofit organization" which gave them to the FBI get them?

In my view that's the single most important question.

Dev from tipb says:

No secret there - any iOS app can harvest this information. In ios 6, Apple will disallow that, but it has been a public, documented part of the iOS SDK since Day 1.

iDevizes.com says:

@mrod79 Indeed why should the FBI need these UDID's? What could you possibly do with those UDID's? Do i have to change my password?


sting7k says:

What does this mean for me right now? Should I be changing passwords?

Rene Ritchie says:

No, this is identifying information. For us, it's a privacy issue, not a security issue, at least right now.

Dev from tipb says:

Think of the UDID as a super-cookie, one that your iPhone sends on every request and that you cannot change, mask, or expire. If somebody knows your UDID, they have no extra ability to get into your account, but they can look at a stream of data and tell which specific requests are coming from *you* individually (or, at least, from your iPhone).

PilotPhil81 says:

I am getting tired of these vigilantly hackers. Something needs to be done to stop them.

RickNY says:

Wouldn't you be more concerned about a) why the FBI has 12 million UDIDs to begin with and b) why they are not being secured properly if they do have them? Does that not even raise a red flag in your mind?

dalvik says:

No it doesn't because he as an american citizen truly believes that government protects us and everything it does is for the better. So let them (the Gov) have our info and know our every step so we can sleep tight at night.

techiechick says:

No, something needs to be done to stop the warrant-less collection of data on American citizens!!

dalvik says:

That's right... Let the FBI, CIA and hell knows who else have your personal info and you wouldn't even know about that. After all these agencies are here to protect us aren't they? what you don't know wont hurt you

Stewartj1 says:

As much as I'm p.o.'d at them for posting all those UDID's, they did at least expose some very questionable FBI activities and in the process have raised a lot of questions.

1: Exactly who is this "nonprofit irganization" from whom the FBI got this data?
2: HOW did this nonprofit get the info in the first place?
3: Who else have they given it to?
4: Exactly why does the FBI Have this data?
5: Why is such a high level FBI agents laptop so easy to hack?
6: Who else's UUID's do they have?

Mrdevali says:

What is changing your passwords goin to do??

markbyrn says:

To paraphrase another article on a related subject, many apps use UDIDs to anonymously identify unique users across apps and browsing sessions and associate them with location, user settings, and ads. UDIDs are also used when registering devices for iOS betas. The use of UDID also sparked controversy over fear that individuals could potentially be identified should enough anonymous data be amassed.

Apparently that's been the case here and I found that one of my devices (iPad 3 on Verizon) was leaked.

wdcspurs says:

I'm not sure that their point of hacking was to use the iOS user info they got in a malicious way. It sounds like it is more or less a way to show the public what kind of info people have. Why the FBI has this stuff doesn't make much sense. Changing passwords won't do anything.

Rob White says:

Let this be a succinct wake up call to iPhone users. Just like Android, iOS is vulnerable. Just because you may not have been aware until now doesn't disprove the evidence. I'm not making a Android vs iOS comparison about security. I'm simply pointing out that all computing platforms have inherent vulnerabilities.

The only thing you can do against these vigilante hackers is continuously determine how much information you are comfortable having stored on your phone & what developer/apps do with that data. I personally have a ridiculous amount of personal information out there in the wild thx to Google & Apple. Yes Apple data mines their users too. The same rules apply regardless of your chosen platform.

Your privacy & personal information is only as valuable as you make it.

dalvik says:

Even if you have a cheap ass dumbphone that makes only phone calls the Gov still knows your whereabouts, all your info and tracks your every call and your every conversation, looking for specific words and phrases. Hell they can even poinpoint your exact location with just that dumbphone if they need to. Thats just the way it is, you can do nothing about it as long as you live in this country And I'm sure other countires out there have the same system of tracking their citizens.

Rob White says:

You're right. I was merely attempting to point out that next time you read stories about privacy or hacking of Windows or Android, take a look at what your holding. It's just as vulnerable.

I often tell people as an experiment to go into the phones settings & disable GPS, background data, & notifications/email. Turn off WiFi & cell radios too. After doing this I tell them to dial 911. They are stunned when the call connects & the operator on the other end can approximate their location to around 150 ft give or take. And by federal law that connectivity cannot be disabled nor does it have to be disclosed.

That same system makes tracking your every move & phone call just as easy. The only way it doesn't work is if you pull the battery or it fully discharges. Otherwise you have no privacy on a mobile phone, smart or dumb alike.

dalvik says:

Absolutely correct. Besides, I'm not even concerned about them having my info. I cannot do anything at this point to protect myself from this type of surveillance (well except for getting rid of all my computers and handhelds for good and never ever usem them again) And I'm OK with that. But news like that do raise high concerns as to why these sloppy agents casually carrying my personal information on their laptops (???) It's almost the same like losing your ss card. I definetely wouldn't want that. I'm just surprised there haven't been any lawsuits against these so called "government agencies"

jameslaz says:

Thanks for the information. As always you guys keep me informed on who is doing what and why I need to be concerned.

dloveprod says:

Now these hackers are going too far.

dalvik says:

You meant to say the US governement right?

yukimba17 says:

Why would they do that!???? I hate it!

davidbowser says:

I think some folks may be missing the point by blaming "the hackers" in this particular case. I don't condone what they did (minimum of breaking into an FBI computer) or how they did it, and they most certainly broke the law, but they are not attacking you. The data they released publicly had the names and some other personal data trimmed out. Their stated purpose was to show everyone what data the FBI has on each and every one of us, regardless of motive.

I've worked in IT and Security for about 20 years, and the fact that the FBI has this data at their fingertips doesn't surprise me in the least. That the data is treated so casually by the FBI (an unencrypted csv dump on a laptop is the security equivalent of a password on a sticky note) scares me more than anything.

I'm not big on scare tactics, but to illustrate Rene's point on this being a privacy issue, I will share: About 15 years ago, I worked for a data analytics company that specialized in pharmaceutical data and targeted sales. Given gender, age, and general location info, our engine could predictively spit out what prescription drugs you used (and therefore what medical problems you had) and what doctor prescribed them, stack ranked by % correlation. The use case was for Pharma companies to target specific doctors for marketing new drugs based on prescription history, but also to target advertisements in certain areas where those doctors worked, so that their patients would ask about the new drug. That's pretty basic, and that was 15 years ago.

Dev from tipb says:

It is somewhat of a tangent, but this New York Times article on behavior and data analytics is a good introduction for the non-statistician. [ http://nyti.ms/OLeptN ]. The headline is an eye-catching example; via seemingly unrelated shopping data, e.g. spikes in purchasing unscented products, Target could tell a teenager was pregnant before she told her father.

E-POTS says:

well i searched the file for my name (since that is my device's name) and nothing came up, woohoo but I don't have access to itunes right now to get my udid to search based on that. But from the looks of it, i'm not in it.

s2h2golf says:

The Next Web has a tool for checking your UDID against what was released (safer than clicking on that AntiSec link):


Stewartj1 says:

How do you know that tool isn't phishing your data when you use it?

KCMike says:

TSA checkpoints, FBI tracking, & Indefinite Detention? Yep, Welcome to America.

Raptor007 says:

If not for the hackers either (white hat or black hat) releasing what the gov't is hiding and doing then we would never know about it would we? I don't appreciate having my UDID or other identifiable information kept on me let along released by hacker groups. Would you rather not know about the level and extent of the US Government's spying on US citizen's in the name of security?

While we all have nothing to hide we also have an expectation of privacy, or do we . . .

iDonev says:

The 9/11 scare gave police all the power they could possibly want... the Patriot Act and the rising police state being the two easiest examples.

GlennRuss says:

Another Fine example of the lack of a java fix. They need to address this, and stop acting like they do not have problems.

lungho says:

Ahhhh what the hell, not like it's a secret anymore.....414-46-5285