One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

Disney didn’t buy Twitter — partly because it can't master the Bare Necessities

Walt Disney Co. has decided against bidding for the social network.

Hakuna Matata. What a wonderful phrase. It means no worries for the rest of your – @simba DIE U STUPID LION UR SONG IS SHIT.

That was a short representation of one the alleged reasons why Walt Disney Co. opted out of bidding for Twitter last night. Despite hiring two investment banks to help them weigh up a deal, Disney have dropped out of the running partly because – according to Bloomberg – of the social networks’s reputation for bullying and harassment, as well as its falling profits. Individuals close to Disney management allegedly told the business news website that Twitter did not fit well for the company, which, after all, is more famous for feel-good anthropomorphic animals than angry, anonymous eggs. 

Those who mistakenly believe Twitter is a happy place where ev’rybody wants to be a cat might need an explanation. Despite the apparent abundance of cat gifs, Twitter can be a violent and angry social network – a report last year stated that 88 per cent of the abusive mentions on social media happen on the site. Twitter has long struggled to stop abuse overwhelming discussion on the social network. This has fed the perception among some of its 300 million users that tackling abuse is a low priority, with efforts at reducing trolling overshadowed by the release of new features such as increased message length and curated news feeds known as Moments. Because of this, the site has become seen as – in one former employee’s words – “a honeypot for assholes.” Oh, bother.


Earlier this year, Ghostbusters star Leslie Jones was bombarded with racist tweets upon the film's release, forcing her to leave the site for a few weeks. "Twitter I understand you got free speech I get it. But there has to be some guidelines," she wrote. The company did take action in the wake of the Jones case, permanently banning the prominent right-wing journalist and notorious troll, Milo Yiannopoulos, from the site for his role in fanning the flames of the abuse. But, while Google has set up a new company, Jigsaw, to make the internet a safer place, Instagram regularly bans offensive hashtags and Facebook has devoted time to constantly updating its anti-harassment tools (most recently making it easier to report revenge porn), Twitter’s trolling problem continues.

Even Twitter's former top employees have criticised the company's efforts. In a leaked memo from 2015, then-CEO Dick Costolo said: "We suck at dealing with abuse and trolls on the platform and we've sucked at it for years." Earlier this year, the current CEO Jack Dorsey admitted Twitter "must do better" at dealing with abuse. Salesforce, another potential buyer, have also allegedly been put off by the site's reputation. "The haters reduce the value of the company... I know that Salesforce was very concerned about this notion," reported CNBC's Jim Cramer

Neither company has declared publicly that Twitter's abuse problem dettered them from the sale, but could the loss of this latest suitor push them to take the problem more seriously? Having some sort of pre-emptive anti-harassment tool has become the bare necessities of running a successful social network, but Twitter still waits for users to report abuse and then, frequently, tells them that the abusive content actually didn’t violate their rules. 

It is not too late for Twitter to turn itself around, as many of its users are still loyal despite the abuse. With one successful attempt to tackle harassment, a resurgence for the site could be just around the riverbend. In the words of the wise Rafiki: "Oh yes, the past can hurt. But from the way I see it, you can either run from it, or... learn from it."