Apple Inc. and Meta Platforms Inc. reportedly provided consumer data to hackers who pretended to be law enforcement officials in mid-2021. They were able to acquire details that came under ‘emergency data requests.’
Apple and Meta both provided basic subscriber details including customer addresses, phone numbers, IP addresses, etc. Such requests are only provided with a search warrant or subpoena signed by a judicial body. However, emergency requests do not need a court order.
Researchers suspect that some of the hackers sending the forged requests may have been minors located in the UK and the US. One of the minors is also believed to be the mastermind behind the cybercrime group, Lapsus$, that hacked Microsoft Corp., Samsung, and many others.
When asked to comment on the incident by Bloomberg, an Apple representative directed them to a section on law enforcement guidelines.
The guidelines state:
A supervisor for the government or law enforcement agent who submitted the request may be contacted and asked to confirm to Apple that the emergency request was legitimate.
While a spokesperson from Meta, Andy Stone, commented:
We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse … We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.
While Meta stated on its website:
In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good-faith reason to believe that the matter involves imminent risk of serious physical injury or death.
Snap Inc. also received forged legal requests from the same hackers. However, it is not known whether the company provided data in response.
The company did not release an official comment on the incident, however, a spokesperson from the company confirmed that the company has safeguards in place to detect fraudulent requests from law enforcement agencies.
A hacktivist group called ‘Recursion Team’ is believed to be responsible for some of the forged legal requests sent to the companies throughout 2021. Although the group is not active, some of its members are still operating under different pseudonyms or as part of Lapsus$.
Chief Research Officer at the cyber firm, Unit 221B commented:
In every instance where these companies messed up, at the core of it there was a person trying to do the right thing. I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.
Popular social platform, Discord also allegedly received a forged legal request as reported by Krebs on Security. The company stated:
We verify these requests by checking that they come from a genuine source and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.
Meta stated that it is working with law enforcement agencies to evaluate the incident. However, it is unclear how the group will exploit the consumer data and how it will be misused.
