Sep 4, 2012

Apple UDIDs Compromised: What You Need to Know

News broke this morning that AntiSec publicly posted 1,000,001 Apple UDIDs (Universal Device IDs) allegedly retrieved from an FBI computer. The group claims that in addition to a supposed 12 million UDIDs, it also gathered usernames, device names, push tokens, zip codes, cell phone numbers, and addresses for the corresponding UDIDs in the original leak, although they were not made public with the sampling that was posted.

At this point there's a fair amount of speculation about the situation, but we wanted to clarify what LastPass users should know:
  • We released a tool: https://lastpass.com/udid to check if your UDID was on the list. Note that yours could still be one of the alleged 11 million not publicly released, so caution is still recommended.
  • The leaked UDIDs in and of themselves do not pose a serious risk to users. However, there's cause for concern when UDIDs are paired with personally-identifiable information, which the hackers indicate they have in the original data set, although there's no proof at this time. Combined with your name, address, mobile number, and the types of Apple devices you own, identity theft and social engineering are potential threats.
  • Apple has moved away from allowing apps to utilize the UDID for their own purposes, but has only recently enforced this on updates. Services could still be utilizing the UDID as their entire authentication, which means you enable a certain device (UDID) to have access to the service. An attacker who has your UDID could gain access to those accounts, it's likely not highly sensitive data but could still pose a risk to tracing a UDID to a specific individual.
  • The leak is not a threat to LastPass user accounts. LastPass used to utilize the UDID as a secondary factor for logging in on iOS, instead of your standard secondary factor (ie your YubiKey), but late last year we switched to a random identifier that we store on the device that is independent of the UDID, and all old UDIDs were disabled.
The best steps LastPass users can take at this time:
  • Although passwords were not on the list of data supposedly compromised, it's never a bad time to check that your passwords are strong and unique. Run the LastPass Security Check (in the LastPass icon's Tools menu) to identify any weak and duplicate passwords, and prioritize updating them.
  • Consider enabling the free credit monitoring service to monitor for any signs of identity theft.
  • Enable multifactor authentication for added protection of your LastPass account.
  • Do not give any personal information to anyone purporting to be from Apple or other services unless you explicitly contacted them, whether via phone, email, or notifications on your device.
We'll continue to monitor the situation and update our users if any other details come to light.