In a nutshell: Apple and Facebook parent Meta handed over customer data to a group of hackers who were masquerading as law enforcement officials, according to a new report. Using Emergency Data Requests, the criminals were able to gather customers' physical addresses, phone numbers, and IP addresses.
Citing three people with knowledge of the matter, Bloomberg writes that Apple and Meta were responding to forged Emergency Data Request (EDR) forms. While standard data requests are only provided by a warrant or a judge, EDRs, used in cases where there is an imminent danger, don't require a court order. According to the report, the stolen information has been used for fraud schemes, to access accounts, and to enable harassment campaigns.
Snap Inc. reportedly received one of the forged legal requests, but it's unclear whether the company also provided information to the hackers.
Cybersecurity researchers suspect that some of those responsible for sending the forged requests were minors from the US and UK, one of whom is said to be the same mastermind behind the notorious Lapsus$ group. The teenager was recently identified and could have been one of the seven people that were later arrested.
Apple's guidelines say that the company may contact a law enforcement official's supervisor to check a request is legitimate, and Meta said it reviews "every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse." Snap said it also had safeguards in place to detect fraudulent requests.
The hackers behind the forged requests, part of a months-long campaign that targeted several tech companies, are believed to have been affiliated with a group called Recursion Team. While that's no longer active, former members have become parts of other groups, including Lapsus$.
The requests appeared authentic as hackers compromised law enforcement email systems to steal the document templates and often forged signatures of real or fictional officers. Krebs on Security writes that the group submitted one of the requests to Discord, which it fulfilled. The company says that while its "verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor."