SAN FRANCISCO (Bloomberg) — Hackers claiming to have stolen information on 12 million Apple user accounts from an FBI computer said they have released some data from 1 million of those purported accounts.
Many of the hackers’ claims, posted this week in a long online missive from the group calling itself Anonymous, were unsubstantiated or refuted. The U.S. Federal Bureau of Investigation said in a statement yesterday that there was “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” Apple didn’t return phone and email messages seeking comment on the hackers’ claims.
The hackers may have posted some legitimate users’ device names and the unique identifier codes assigned to their iPhones, iPads and iPod Touches, according to Sean Sullivan, a security adviser at F-Secure Corp. who examined a data file that the hackers released. It isn’t known whether the hackers really have the other information they claim to have redacted from the data file, including user names, mobile phone numbers and addresses.
“What they have released is not a very serious breach at all,” Sullivan said in an interview Tuesday. As for claims that the information came from the FBI, he said, “they’ve offered no additional corroborating evidence, they’ve offered nothing else — they’ve immediately demanded no interviews. I think they’ve made it up.”
The incident is the latest skirmish between hackers operating under the banner of Anonymous - who have often cultivated the media to promote their attacks, and have sometimes fallen short in their claims - and law-enforcement agencies and large corporations that the hackers argue are violating digital freedoms.
The hackers say they accessed the Apple data in March by breaking into a laptop of FBI agent Christopher Stangl, who has been active online in recruiting agents with cyber-security savvy. They claim to have used a vulnerability in Java, the popular Internet technology managed by Oracle whose flaws were exploited in attacks that infected more than 600,000 Mac computers in April and more than 100,000 Windows machines last week.
By themselves, the device codes released in the latest incident aren’t sensitive. Called unique device identifier numbers, or UDIDs, they are just strings of numbers and letters that have limited value when viewed in isolation.
Still, taken with other information, they may be used to authenticate users trying to access a service. Amid privacy complaints, Apple earlier this year banned applications that use the code for tracking.
The hacked information could have come from other sources, including application developers or even Apple itself, F- Secure’s Sullivan said.
If the hackers have all the data they claim to have, that could expose millions of users to identity theft and fraud, Sullivan said. Based solely on the limited information that’s been released so far, there’s little risk to users, as account passwords and other sensitive data weren’t included.
“Additional investigation into this reported breach is needed to get to the bottom of the claims made by this hacker group,” Rep. Ed Markey, D-Mass., said Tuesday, urging support for legislation for more transparency about what law enforcement collects from wireless carriers. “Still, it would be a mistake to allow this recent incident to pass without reexamining and recommitting ourselves to dealing with this vital personal privacy and protection issue.”