Hackers embarrass Apple with massive data leak
HACKERS PUBLISHED a trove of sensitive information about one million Apple devices online, embarrassing the company on the eve of the launch of its new iPhone.
The hacker group AntiSec, an offshoot of the Anonymous and Lulzsec collectives which last year targeted Sony, News International and others in a wave of attacks, said this was just a sample from 12 million records. These, they say, include the full names, addresses and phone numbers of owners of Apple’s iPhones, iPads and iPod touches.
Several security researchers verified the data as genuine, but said they presented little risk to the people involved as long as the other details are not released. Apple did not respond to a request for comment.
The leak is ill-timed for Apple, before a series of key launches. It yesterday announced an event on September 12th in San Francisco, where it is expected to unveil the next version of its iPhone. A new, smaller iPad is also expected soon.
The hackers said they had obtained the database of Apple device-identifiers from an FBI agent’s laptop. The FBI, whose international investigation into Anonymous and associates led to several arrests earlier this year, declined to comment. The leaked data centre on Apple’s “unique device identifiers”, which can be used by app developers to send notifications and to track users. Apple is already preparing to phase out UDIDs. Security and privacy campaigners have argued they could be used to hijack associated accounts, such as Facebook or Twitter.
“iPhone and iPad apps gain access to this information so it’s possible it could be coming from an app manufacturer but it would have to be a very popular app,” said Mikko Hypponen, chief research officer at F-Secure, a security firm. “There could be lots of questions about how Apple could do this better but it doesn’t look like it was Apple’s mistake.”
Aldo Cortesi, a New Zealand-based security consultant who has campaigned against UDID use, said in a blogpost that the leak was a “privacy catastrophe”.
In a statement, the hackers said they published the information to raise questions about the FBI’s suspected use of device data. These allegations have not been independently verified. – Copyright The Financial Times Limited 2012