Hackers Claim to Have 12 Million Apple Device Records, Captured from F.B.I Computers

- By NICOLE PERLROTH - September 4, 2012 - The New York Times

Hackers released a file that they said contained a million identification numbers for Apple mobile devices, claiming that they had obtained it by hacking into the computer of an F.B.I. agent. The F.B.I. said it had no evidence that this was true.

The hacking group, known as AntiSec - a subset of the loose hacking collective known as Anonymous - posted copies of the file on Sunday and claimed to have a total of 12 million numbers for iPhone, iPad and iPod Touch devices, along with some phone numbers and other personal data on their owners. They said their goal in releasing a slice of the data was to prove that the F.B.I. used device information to track people.

While the leaked identification numbers appeared to be real, security experts said the release posed little risk. They said that without more information on the devices' owners - like e-mail addresses or date of birth - it would be hard for someone to use the numbers to do harm.

And the actual source of the file was not clear. The F.B.I. said in a statement that "at this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data."

The F.B.I. has been a frequent target of so-called hacktivists, hackers who attack for political causes rather than for profit. In February, Anonymous hackers intercepted a call between the bureau and Scotland Yard. But the frequency of such attacks tapered off after several members of Anonymous and a spinoff group, LulzSec, were arrested in March.

Apple's unique device identifiers - known as U.D.I.D.'s - are 40-character strings of letters and numbers assigned to Apple devices. Last year, Aldo Cortesi, a New Zealand security researcher, demonstrated how in some cases U.D.I.D.'s could be used in combination with other data to connect devices to their owners' online user names, e-mail addresses, locations and even Facebook profiles.

"A U.D.I.D. is just a jumble of digits," said Jim Fenton, the chief security officer of OneID. "It is only powerful when it is aggregated with other information."

Security experts said the identification numbers appeared legitimate, and one number in the file matched that of a New York Times employee's iPad. "The structure and format of the data indicates this is a real breach," said Rob Rachwald, director of security at Imperva, a computer security firm. An Apple spokesman did not respond to requests for comment.

The hackers released only U.D.I.D.'s, a separate Apple-specific identifier and the device names that owners give their devices, like "Lori's iPad." Only a few identifiers were tied to e-mail addresses, apparently because the device's owner chose to use an e-mail address when naming it.

Apple stopped letting app developers take advantage of device identifiers last year, to make it harder for marketers to track its customers as they moved from app to app.

The hackers claimed to have obtained the file from the computer of Christopher K. Stangl, a supervisory agent of the F.B.I.'s Cyber Action Team. In 2009, Mr. Stangl appeared in a Facebook promotional video titled "Wanted by the FBI: Cyber Security Experts" that encouraged hackers to get involved with the F.B.I.

He was also one of 44 law enforcement agents invited to participate in the F.B.I.-Scotland Yard conference call that hackers intercepted.

But security experts said the file could have come from a number of places.

"There are a million ways this could have happened," said Marcus Carey, a researcher at Rapid7. "Apple could have been breached. AT&T could have been breached. A video game maker could have been breached. The F.B.I. could have obtained the file while doing forensics on another data breach."

In their statement, the hackers said they would not grant any interviews about the breach until a reporter for Gawker, Adrian Chen, posed for his employer's site, for a full day, in a ballet tutu with a shoe on his head.

On Tuesday evening, Mr. Chen complied. "There's me in a tutu," he wrote in a blog post with accompanying photos. "Get used to it because it's going to be up until around 6:30 p.m. tomorrow."