Apple’s unique device identifiers, known as UDIDs, are strings of letters and numbers assigned to Apple devices. On their own, they are not of much value to hackers, but stitched together with other data — name, e-mail address, ZIP code, date of birth or driver’s license, for example — they can be used to compile a profile of a person that could be used to, say, answer their online security questions.
Apple has recently moved away from letting its app developers use device identifiers to make it harder for marketers to tie that that information to other data and track users across apps. Steve Dowling, an Apple spokesman, did not return requests for comment.
“A UDID is just a jumble of digits,” said Jim Fenton, the chief security officer of OneID. “It is only powerful when it is aggregated with other information.”
In their statement on the bulletin board PasteBin, the hackers said that they had obtained a file with “a list of 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, name of devices, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”
Of the file posted online, only a few identifiers were tied to e-mail addresses, apparently because the device’s owner chose to use an e-mail address when naming the device.
The hackers claimed to have obtained the file from the computer of Christopher K. Stangl, a member of the F.B.I.’s Cyber Action Team. A spokesman for the F.B.I. did not immediately comment on the reported breach, but security experts said the file could have been obtained from anywhere.