UPDATE: According to NBC News, a small Florida-based app publisher called Blue Toad has told authorities that the million IDs released by Anonymous matched — with 98% accuracy — the ID numbers in its servers. That would seem to contradict the claim that the data were stolen from an FBI agents laptop. See here.
FORTUNE — Toward the end of a bizarre rant that begins with a quote from Salman Rushdie’s The Satanic Verses and ends with an off-color suggestion — in German — for the Republican candidate for President (“Romney aber, sag’s ihm, er kann mich im Arsche lecken!”) the anonymous AntiSec hacking group gets to the point:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The statement says the data were released Tuesday — with some identifying information removed — to alert the public that, in its words,
“[unprintable] FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME [unprintable]”
Note that the hackers don’t say they have obtained Apple IDs, passwords or credit card numbers.
Still, if the claims are to be believed, users whose addresses, cell phone numbers and iOS device IDs made their way from Apple’s (AAPL) servers to an FBI agent’s notebook computer deserve an explanation.
Comments in updates below from Apple and the FBI.
The hackers, for their part, say that no further statements or press interviews will be forthcoming until Gawker‘s beat reporter for two rough-and-tumble social media sites, 4chan and Reddit, is pictured on Gawker’s front page dressed in a tutu with a shoe on his head. “No tutu, no sources.”
You can read the AntiSec post in full here. Warning: It contains language unsuitable for polite company.
Via: The Next Web, which has posted a look-up tool here to determine if your UDID is one of the 1,000,001 that were released.
UPDATE: Gawker’s Reddit/4chan reporter, Adrian Chen, has complied with AltSec’s demand, posting a photo of himself in tutu with a shoe on his head. Meanwhile, the FBI has issued a statement through AllThingsD:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
Hmm. “At this time… no evidence….” Perhaps. But back in the Watergate era, that’s what we used to call a nondenial denial.
UPDATE 2: An Apple spokesperson addressed the leaks Wednesday through AllThingsD:
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID.”