Apple and Meta reportedly handed user data to hackers masquerading as law enforcement

midian182

Posts: 7,891   +82
Staff member
In a nutshell: Apple and Facebook parent Meta handed over customer data to a group of hackers who were masquerading as law enforcement officials, according to a new report. Using Emergency Data Requests, the criminals were able to gather customers' physical addresses, phone numbers, and IP addresses.

Citing three people with knowledge of the matter, Bloomberg writes that Apple and Meta were responding to forged Emergency Data Request (EDR) forms. While standard data requests are only provided by a warrant or a judge, EDRs, used in cases where there is an imminent danger, don't require a court order. According to the report, the stolen information has been used for fraud schemes, to access accounts, and to enable harassment campaigns.

Snap Inc. reportedly received one of the forged legal requests, but it's unclear whether the company also provided information to the hackers.

Cybersecurity researchers suspect that some of those responsible for sending the forged requests were minors from the US and UK, one of whom is said to be the same mastermind behind the notorious Lapsus$ group. The teenager was recently identified and could have been one of the seven people that were later arrested.

Apple's guidelines say that the company may contact a law enforcement official's supervisor to check a request is legitimate, and Meta said it reviews "every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse." Snap said it also had safeguards in place to detect fraudulent requests.

The hackers behind the forged requests, part of a months-long campaign that targeted several tech companies, are believed to have been affiliated with a group called Recursion Team. While that's no longer active, former members have become parts of other groups, including Lapsus$.

The requests appeared authentic as hackers compromised law enforcement email systems to steal the document templates and often forged signatures of real or fictional officers. Krebs on Security writes that the group submitted one of the requests to Discord, which it fulfilled. The company says that while its "verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor."

Permalink to story.

 

Squid Surprise

Posts: 5,335   +4,980
Clearly the majority of the fault lies in the law enforcement systems that were hacked... I can see Apple and Facebook using this as another excuse NOT to hand information over to authorities though... which would actually be a good result for end users...
 

brucek

Posts: 1,126   +1,668
Do the "advanced systems and processes" not include reaching out to the requesting agency, using its publicly available contact information vs. whatever is on the request form? Especially for emergency orders for invasive information?