Hackers embarrass Apple with data leak

5 Sep, 2012

Apple faced a major embarrassment on the eve of the launch of its new iPhone when hackers published a trove of sensitive information about 1m Apple devices online.

The hacker group AntiSec, an offshoot of the Anonymous and Lulzsec collectives which last year targeted Sony, News International and others in a high-profile wave of attacks, said it had obtained the database of Apple device-identifiers from an FBI agent's laptop. The FBI's long-running international investigation into Anonymous and its associates resulted in several arrests earlier this year.

The bureau said: "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

The hackers claim this is just a sample from 12m records, which they say include the full names, street addresses and mobile phone numbers of owners of Apple's iPhones, iPads and iPod touches. Several security researchers verified the published data are genuine, but said they present little risk to the people involved as long as the other details are not released. Apple did not respond to a request for comment.

The leak is ill-timed for Apple ahead of a series of key product launches. On Tuesday Apple announced an event on September 12 in San Francisco, where it is expected to unveil the next version of its iPhone. A new, smaller iPad is also expected to be unveiled soon.

The leaked data centre on Apple's "unique device identifiers", which can be used by app developers to send notifications and to track users. Apple is already preparing to phase out UDIDs. Security and privacy campaigners have criticised them over the past year arguing they could be used to hijack associated accounts, such as Facebook or Twitter.

"IPhone and iPad apps gain access to this information so it's possible it could be coming from an app manufacturer but it would have to be a very popular app," said Mikko Hypponen, chief research officer at F-Secure, a security firm. "There could be lots of questions about how Apple could do this better but it doesn't look like it was Apple's mistake."

Aldo Cortesi, a New Zealand-based security consultant who has campaigned against UDID use, said in a blogpost that the leak was a "privacy catastrophe". It was the "worst-case scenario" that could pave the way for further security problems.

In a statement published online, the hackers said they published the information to raise questions about the FBI's suspected use of device data. These allegations have not been independently verified and may be part of a smear campaign by Anonymous in revenge for the FBI arrests.

Sites including The Next Web are offering tools for concerned Apple customers to check if they are among the victims of the leak.

Peter Kruse, an e-crime specialist with CSIS, a Danish security firm, said he had found three of his own Apple device IDs among the data. "Unfortunately there is every indication that this leak is real," he wrote in a blogpost on the CSIS site.

Graham Cluley, senior technology consultant at security firm Sophos, said that "so far" the situation was not as serious for Apple as Sony's breach last year.

"I think this is about hackers embarrassing the FBI rather than hurting individuals," he said.

More News From Financial Times