Apple and Meta Supplied Hackers With User Data
According to reports sent to Bloomberg by three people close to the issue, Apple Inc. and Meta Platforms Inc. provided hackers pretending to be law enforcement officials with user data. The hackers scammed the major companies through forged legal requests.
The incident occurred in the middle of last year, and data compromised included customer addresses, phone numbers and IP addresses. While legal data requests require a search warrant or subpoena signed by a court judge, the requests used were “emergency data requests”, which according to the sources, waive these requirements.
Another company targeted by the attack was Snap Inc. however, there is nothing to say whether they fell for the scam or provided the hackers with data.
This trend of forged emergency data requests is on the rise says Krebs on Security. Hackers gain access to police emails and then forge emergency data requests that urge the importance of the data for the investigation. Hackers reportedly sell government and police email details online for this exact purpose.
The hackers behind the attack are believed to be a group of minors across the UK and US, once of which is believed to be the leader behind Lapsus$, the hacking group responsible for attacks on Microsoft, Samsung and Nvidia of late.
Apple and Meta were both reached out to for comment by Bloomberg. Apple responded with their company law enforcement guidelines. The guidelines state that the agent who made the request may be verified via further contact, ensuring legitimacy. Similarly, Meta stated that they “review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,”
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Snap did not respond initially, but a spokesperson has since confirmed that they have process in place to prevent incidents like this occurring.
Alongside the believed involvement of Lapsus$, members of ex-cybercrime group ‘Recursion Team’ are thought to be responsible for a portion of the forged legal requests, according to three anonymous sources involved in the investigation.
Members of the former Recursion Team are thought to now be working for Lapsus$.
The data stolen is reportedly mainly used for financial fraud schemes.
Allison Nixon, chief research officer at the Unit 221B cyber firm defended the actions of major corporations, saying that it all stemmed from a “a person trying to do the right thing,”
“I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
Krebs on Security stated that Tuesday saw a similar attack take place against Discord. Discord confirmed the report with Bloomberg.
“While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
Issues like this slip through the cracks as the screening process for these requests are complicated. With tens of thousands of emails ranging from local police departments to federal agencies, identifying fake requests is complicated. Meta said of the 12,700 emergency requests it received from January to June last year, it provided data in response to 77% of them.
As each agency handles the requests differently, with not all going through the portals organized by Meta and Snap, identifying fake requests is difficult.