One million unique device identifiers (UDIDs) from iOS devices have been posted online by hacking group Antisec, who claimed the UDIDs came from an FBI-owned laptop. The group published a file containing the UDIDs—as well as push notification tokens, device names, and more—on Monday evening, promising that there are plenty more entries where that came from. Antisec claims the original file contained roughly 12 million UDID entries—some with very personal data attached, such as full names, cell numbers, and home addresses.

There has been no official confirmation as of yet that Antisec's UDID list indeed came from an FBI laptop, but Antisec claims to have remotely accessed Supervisor Special Agent Christopher K. Stangl's data in March 2012 using a Java vulnerability, AtomicReferenceArray. The AtomicReferenceArray vulnerability in Oracle's Java software framework came to light earlier this year after it was being exploited in attacks that installed malware on end-user machines. Oracle released a patch in February.

That same month, members of the Anonymous hacking collective published a transcript of a conference call between investigators at the FBI and Scotland Yard during which operations against hacktivist group were discussed. About 40 law enforcement agents from various parts of the world participated in the call, which was intercepted after the leaking of an e-mail message sent to all the agents listing the time and code to get in, according to Rob Graham, CEO of penetration testing firm Errata Security.

The group claims to have found a file called "NCFTA_iOS_devices_intel.csv" with a listing of UDIDs for 12,367,232 iOS devices, though not all of them contain the same level of personal information. Antisec claims to have sanitized the 1 million UDIDs that it has chosen to leak publicly to leave the bare minimum for users to find out whether their devices were on the list. "Some devices contained a lot of [personal] info," the group wrote.

The UDID itself is a string of characters that tells Apple and developers which device is uniquely yours in order for them to push alerts to your phone, identify unique users, and so on. It's not the most secret information—your UDID is found on your device itself as well as within iTunes when you click on your device's serial number—and plenty of developers likely already have past app and notification records that include your UDID. Apple, however, began cracking down on developers' use of the UDID as a way to track users since the release of iOS 5 following privacy and security concerns. Apple had warned developers last October that the UDID was being deprecated, and in March of 2012, Apple began rejecting third-party apps that make use of the UDID.

So Apple itself and its developer network no longer relies on the UDID as a way to identify users, but part of the reason Apple did away with the UDID was because some developers were found to have been transmitting personal user data—along with the UDID—back to their own servers. As such, there are numerous apps that might have already collected and stored information like your name, birthdate, where you like to shop, what kind of device you use, and more, all of which may be attached to your UDID. And, for whatever reason, that data may be contained in the file that is believed to have been pieced together by the FBI.

As for why the FBI might have collected this info, there are no answers as of yet. Neither Apple nor the FBI responded to our request for comment by publication time, so the most that can be confirmed now is that there is a list available online with a million UDID entries. (MacRumors claims to have verified, using OpenFeint, that the numbers in the list are at least valid UDIDs.) The type of information available isn't atypical for what a third-party developer might already have on record, but there's no indication about what the FBI might have been doing with such a list. Without further verification on that front, it's not yet safe to assume that Antisec's claims are entirely valid.

For those still worried, there is already a tool available online for iOS device users to check whether their UDIDs appeared on the list. (As of this writing, my iPhone did not appear on the initial list, though some believe they have found evidence of President Obama's iPad with an indicator that someone used the device to play Fishing Fun 2.) Developer Frederic Jacobs is on a mission to identify which app-maker has allegedly given away user data to the FBI as well, and has posted a brief survey for those who do find their UDIDs in Antisec's list.

Update: The confirmations of the list (at least) containing valid UDIDs are now rolling in. Security journalist Rob Lemos says at least one of his devices is definitely on the list. "eCrime specialist" Peter Kruse has also confirmed that three of his devices are on the list.

Update 2: There is now a version of the UDID list in plaintext available online.

Update 3: The FBI has now issued a public statement:

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," the FBI said.