Oh boy. Yup.
I initially thought that Apple may owe us an explanation, but the last part of this description from the hackers is interesting:
…[a file] with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.
UDIDs, APNS tokens, and some contact info?
All of this information could have been collected from an app transmitting data to a server. For instance, this is exactly the information that an ad network would want to collect. And in order to get stats from 12 million devices, it would probably need to be from a set of popular, free apps… where you’d probably see ads.
Apple and the carriers probably weren’t involved at all. And with iOS 6’s removal of UDIDs and prompting for contacts access, this data will become much harder to collect in the near future.
(By the way, checking for your UDID in the released list and not finding it really doesn’t tell you anything, since this is only 8% of the complete list. None of my devices were in it, but they might be among the other 11 million entries that we don’t have.)
The popular and free AllClear ID app, related to NCFTA, is a likely culprit, especially given the filename. AllClear ID sent a statement saying they do not collect UDIDs and are not affiliated with the NCFTA, for whatever it’s worth.