The post accompanying the leaked data claimed the attackers used a zero-day vulnerability in Java back in March (not the recent vulnerability disclosed and patched last week). If the post lied about the source of the leak, it may have lied about the methods used to generate this list. It's also not known at this time why the FBI would have this list in the first place (although the implications are frightening).

The story about AntiSec allegedly stealing 12 million Unique Device Identifers (UDID) for iPhones and iPads from the laptop of an FBI agent is rapidly becoming a case of "he-said-she-said."

Regardless of who was victimized, the more interesting question is how the data was compiled, and there are hints it may have been the result of a targeted email attack.

"I'm speculating that the Java vulnerability was exploited to install malware onto the computer that then scooped up the data file," Graham Cluley, senior technology consultant at Sophos, told Security Watch. He declined to elaborate on how the owner of the laptop may have been duped into visiting a malicious webpage containing the exploit.

FBI Wasn't Attacked, Says FBI

As reported earlier by PCMag.com, AntiSec claimed in its Pastebin post that the file containing these unique identifiers for Apple devices were lifted from a laptop belonging to Christopher K. Stangl, an FBI recruiter well known for his efforts to recruit white hat hackers for the federal government. Security Watch spoke with several experts who expressed doubts that the source of the data leak was an FBI laptop, with F-Secure's Sean Sullivan going so far as to call it a "PR scam for Anonymous." The FBI has also adamantly denied AntiSec's claim.

"At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," the federal agency told Security Watch in an emailed statement.

The post accompanying the leaked data claimed the attackers used a zero-day vulnerability in Java back in March. The zero-day allegedly used is not the same vulnerability Oracle patched last week. If the post lied about where the data was stolen from, it may have also lied about the methods used to generate this list. It's also not known at this time why the FBI would have this list in the first place (although the implications are frightening).

Some security experts have pointed out that the list could have been generated using information collected by apps and transmitted to ad networks.

Phishing FBI Agents?

However, if the Java vulnerability was really used, it is possible attackers sent targeted emails to gain access to that file, speculated Robert Graham, CEO of security firm Errata Security. The "obvious attack" is to phish the email addresses belonging to law enforcement officers that were leaked back in February, Graham wrote on the company blog.

Earlier this year, Anonymous had intercepted an email inviting 40 law enforcement authorities in the United States and various areas of Europe, including the United Kingdom, France, and Germany, to a conference call discussing LulzSec. Anonymous listened in on the conference call and posted the initial meeting invite as well as a transcript of the call. The email addresses of all the agents on that call were exposed

Stangl was one of the 40 participants for that infamous conference call, although it's not known whether he actually attended the meeting.

After the email was leaked, attackers could phish those email addresses using the same sender address and contain a link to a website hosting a Java app with that exploit, said Graham. A possible message could even refer to the fact the call had been recorded and the transcript posted, and it was possible up to 20 percent of the victims (8 out of 40) would have fallen for the scam, he speculated.

Hackers aren't necessarily smart, but operate from a set of well-known principles, Graham said. "If I have an e-mail list of victims, and a new 0day appears, I'm immediately going to phish with it. It's not Chinese uber APT hackers, it's just monkeys mindless following a script," he said.