I've Been Mugged Blog

A hacker group has announced the theft of 1 million Apple iPhone UDIDs, or Unique Device Identifcation numbers. The hacker group claimed that the data breach was to highlight the unannounced tracking of US citizens by the Federal Bureau of Investigation (FBI) agency. The Next Web reported:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people..."

The AntiSec hacker group stole 12 million UDIDs, and has publicly released 1 million of them.

What is a UDID? If you read this blog, then you already know what UDIDs are. Every smart phone, tablet, and mobile device has one: a 40-digit number that uniquely identifies each device. If you switched devices recently, chances are your telecommunications provider (e.g., Sprint, AT&T, Verizon, etc.) probably required that you provide them with the UDID for your new device.

The UDID is a bonanza for companies, marketers, government agencies, and any entity interested in tracking consumers. When matched with your 10-digit phone number and iTunes account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device. Parents, who gave their children mobile devices, also need to be aware of the tracking threat. Links between your device's UDID and your Apple iCloud account would enable even more extensive tracking at the document level.

The Huffington Post advises consumers who want to check if their UDID was stolen:

"First, use the website whatsmyudid.com to figure out how to access your UDID, which can easily be found by plugging Apple devices into iTunes. Next, copy and paste the ID into The Next Web's data checker, or use tech consultant Sean MacGuire's website to quickly scan through the hacked IDs."

This blog has reported privacy abuses where app developers and marketers allegedly collected consumers' UDID without notice and without consent, including this class-action suit against Apple and this class-action suit against Ringleader Digital and several other companies. The sad reality is that consumers' UDIDs could already be in a lot more entities' databases, since too many mobile device apps fail to provide privacy policies, and collect data without notice and without consent.

[Update 3:30 pm: one blogger analyzed the data released by the hackers, and concluded it isn't so bad since not much other personal data was stolen. I don't place much weight on this view, as there is no guarantee the hackers released everything stolen.]

[Update 10:00 am: the FBI denies that it has the data the hacker group claimed it has.]