Hackers Find 12 Million Apple Users Personal Data On FBI Laptop

Hackers Find 12 Million Apple Users Personal Data On FBI Laptop

Hackers who got inside and FBI laptop found the personal data of over 12 million users including addresses, phone numbers and Unique Device Identifiers (UDID).

The Hacker Group Anonymous Hacked into the laptop of an FBI agent and found a massive cache of personal information:

This is just lovely. So apparently several hacker activist groups got into FBI agent Christopher Stangl’s personal laptop which he apparently uses for remote work away from the office. You would think the FBI would have invested in Remote Work Security as they of all organizations should have known the security risks of working from a personal laptop. Internet networks can easily be exploited without proper protection and the FBI are lucky the hackers did not get away with sensitive investigative data for criminal purposes.

However, what the hackers did manage to steal from the laptop is somehow far worse:

A list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

What makes this story even better is that Mr. Stangl was the guy who posted a video in 2009 imploring Computer Science majors to join the FBI. Makes sense, they were most likely starved of security experts. Otherwise they probably would have gotten an apple mdm to protect himself from being hacked. I guess you need a lot of people to keep tabs on the sheeple’s communications 24/7. Move along folks…nothing to see here. Your government loves you. Now go get on food stamps, watch some football and shut up.

Forbes covered this story and you can read the article here.

Delivered by The Daily Sheeple

Contributed by Michael Krieger of A Lightning War for Liberty.

Some Apple consumers are rightfully shocked and appalled that their sensitive information was either sold to the FBI or stolen from Apple. Either way, some have said they will be looking for an alternative device provider. Perhaps a reviewer like Laptopgrader.com could suggest a more secure laptop for these disgruntled users (as well as one for the FBI).

However the latest news is that the FBI are denying the claims that they ever had the data. That could indicate they didn’t get that data from Apple legally but it still remains to be seen. Here’s what they had to say:

UPDATE Sept. 4, 21:50 GMT: The FBI has denied that it ever had the 12 million Apple IDs in question: “Statement soon on reports that one of our laptops with personal info was hacked,” it said on Twitter. “We never had info in question. Bottom Line: TOTALLY FALSE.” It also said in an emailed statement: “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

But there is a little problem with the claim – the hackers have already decrypted and posted a sample of 100 users and say the full data set will be posted online in a searchable dataset once the decryption is complete.

UPDATE Sept. 4, 17:50 GMT: Anonymous / Antisec supporters have posted a sample of 100 Apple mobile device and Mac identifiers from the breach, in plain text, viewable here. The data is in four columns 1) the Apple device unique device identifier 2) the Apple Push Notification Service DevToken 3) the device name 4) the device type. They say it lists the top 50 and bottom 50 UDIDs in the dataset. One source from Anonymous says supporters are currently working on uploading the full, unencrypted dataset of 1 million UDIDs to the web, as well as a searchable database.

Update: Bloomberg is reporting as of 4:00 AM EST that the hackers have released the first unencrypted dataset of 1 million accounts on the Internet as they claimed they would.

This further brings into the question the validity of the FBI’s denial of the breach.

Unfortunately US citizens have seen the rise of the American Gestapo where law enforcement officers can at any time can pull the “national insecurity” card to cover this whole thing up by issuing “National Security Letters”.

FYI, Gestapo simply means Secret Police, as in law enforcement has the ability to operate in complete secrecy breaking with no oversight which is obviously what the FBI is doing here and has been doing in the past with nefarious programs such as nationwide spying on Muslims and warrantless wiretapping.

Forbes goes onto report in the original article:

Three years ago special agent Christopher Stangl appeared in a video calling on people with computer science degrees to join the Federal Bureau of Investigation, saying they were needed “more than ever.” Last night, hackers with subversive online networks Anonymous and Antisec answered that call with nothing short of irreverence: they published what they claimed were more than 1 million unique device identifier numbers, (UDID) for Apple devices, stolen from Stangl’s own laptop.

In total, the hackers say they were able to steal more than 12 million of these strings of numbers and letters, but, “we decided a million would be enough to release.” They announced the hack through the widely-watched Twitter feed, @AnonymousIRC last night.

Forbes cyber security reporter Andy Greenberg has downloaded the encrypted file posted by Anonymous containing the identifiers, and decrypted it. “It does seem to be an enormous list of 40-character strings made up of numbers and the letters A through F, just like Apple UDIDs,” he reports. The data is being analyzed by cyber security research firms like Denmark’s CSIS, whose specialist Peter Kruse tweeted earlier today that three of his devices were in the leaked data.

The incident raises many questions, not only about the security of federal devices, but of why an agent might have (allegedly) been carrying a database of Apple UDIDs, which the hackers said also contained “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” of iPhone and iPad users. The hackers claim to have stripped this information for publication.

Developers use the UDID to track information about Apple’s mobile devices, and sometimes ad companies will cross reference that information to target users with ads. If all the information out there was cross-referenced, it would be a huge web of user information. But as Gizmodo points out, that doesn’t seem to be the case here: “What was leaked appears to be a list of users and information gathered from just one app, or a few-NOT a cross-section of the UDID on every single app you use,” writes Kyle Wagner. “It’s one or two stands of the spider web.” In other words, don’t freak out if your Apple device is on the list, aside from taking some basic precautions like changing some of your key passwords, and there are applications that you can download from Fileproto and other password recovery services that can help you keep your passwords safe.

Stangl did not wish to comment when contacted by email earlier today, and an FBI spokeswoman declined to comment. Apple did not respond to emails and phone calls requesting comment. Anonymous supporters said in their Pastebin post on Monday evening that they were not giving further interviews on the matter, though one source in the network suggested more information on the matter could emerge soon.

Anonymous claimed they used the Atomic Reference Array vulnerability in Java to breach Stangl’s laptop. (Link via Computer Weekly.) Here’s where they claim to have hacked his device:

“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device,type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

“The personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”

Categories: US NEWS

About Author