Apple and Facebook parent company Meta may have given private customer information such as addresses, phone numbers, and IP addresses to hackers who presented forged legal documents last year, a new report reveals.
Bloomberg reported Wednesday, citing three unnamed sources, that the data was given to hackers posing as law enforcement who used faked emergency data requests in mid-2021.
In the course of criminal investigations, law enforcement officials frequently request data from social media platforms, allowing them to learn more about the owner of a specific online account. Emergency data requests, on the other hand, do not require a subpoena or search warrant signed by a judge and are intended for cases involving life-threatening situations.
Fake emergency data requests are becoming more common, according to a recent Krebs on Security report.
Hackers must first gain access to a police department's email systems in order to launch an attack. The hackers can then impersonate a law enforcement official and create an emergency data request that describes the potential danger of not receiving the requested data right away.
According to Krebs, some hackers are selling access to government emails online in order to target social media platforms with bogus emergency data requests.
While neither Apple nor Meta specifically stated whether they handed over user data, both pointed to their processes for dealing with emergency government requests.
"We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse," Meta spokesperson Andy Stone told CNET. "We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case."
Apple referred to its Law Enforcement Guidelines, Section II E, paragraph 3.
According to Krebs, the majority of bad actors carrying out these fake requests are teenagers, and cybersecurity researchers believe the teen mastermind behind the Lapsus$ hacking group may be involved in carrying out this type of scam. Since then, seven teenagers have been arrested in connection with the group.
Fake emergency data requests have affected a number of companies, not only Meta and Apple. According to Bloomberg, Snap was also contacted by hackers with a forged request, but it's unclear whether the company followed through.
According to Krebs on Security's report, Discord confirmed that it gave away information in response to one of these bogus requests.
"This tactic poses a significant threat across the tech industry," Peter Day, Discord's group manager for corporate communications told The Verge. "We are continuously investing in our Trust & Safety capabilities to address emerging issues like this one."