The FBI has issued a statement saying that there is no evidence that hackers managed to grab a database of some 12 million unique device identifiers at all. The statement, issued to All Things D, goes as far as to say that there is no evidence that the FBI even gathered such data.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
AntiSec claims that the data on the laptop, allegedly that of an FBI agent, contained some 12 million UDIDs and a patchy array of other bits of info like phone numbers and more. The group leaked 1M of those IDs earlier this morning, along with details of how they say they came across them.
The FBI’s press office followed up with this tweet:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE
— FBI PressOffice (@FBIPressOffice) September 4, 2012
Triggering a response from the AnonymousIRC Twitter account:
@fbipressoffice Wait, what? So because you don’t know of any data breach it never happened? So the conference call was fake, too? ;-)
— AnonymousIRC (@AnonymousIRC) September 4, 2012
The Next Web has created a tool for you to check to see if your UDID is in that batch, though if what AntiSec says is true, it has millions more. Apple has sold over 350M iOS devices to date, each one with its own static UDID that is used by ad networks and other services to track your device, much like a cookie in a web browser.
The database has turned up positive matches for UDIDs, so the 1M numbers released appear to be valid in some form, regardless of where they came from.
There is no inherent danger in your information being out there, even your UDID. But there are some possibilities for malicious use due to the sloppy handling of the UDID by some developers, who associate it with other personal info. Apple has been trying to get them to stop using this identifier for over a year now.
The biggest question surrounding this issue, of course, is why the FBI was collecting this information, or where it obtained it from. If the statement from the FBI is accurate, then it may never have had it in the first place. Then the question becomes where exactly did AntiSec get the database?