Newsletter
A new report has uncovered damning revelations against Meta and Apple, claiming that the companies gave away sensitive data to hackers posing as law enforcement in 2021. The information accessed includes user addresses, phone numbers, IP addresses, and others. The report claims that hackers used forged emergency data requests to trick Apple and Meta into providing the information.
The revelation was first made by Bloomberg (via Pocketnow), detailing how cybercriminals tricked tech industry giants into sharing sensitive user data. It’s routine for law enforcement officials to contact social media platforms to track a suspect. A majority of such requests require a search warrant or subpoena. However, law enforcement can skip this process using an emergency data request, usually deemed time-sensitive.
The hackers clearly understood this glitch in the system and took full advantage of it. But the process wasn’t that straightforward. The attackers first targeted emails of law enforcement officials, later using these credentials to submit requests to the two companies. Although there’s a built-in verification system for such requests, some slipped through the cracks.
Hacker group Lapsus$ could be behind this attack
There is no definitive answer about the person or group that led this attack. But a report by KrebsOnSecurity suggests the notorious data extortion group Lapsus$ could be responsible. Lapsus$ was also responsible for data attacks against companies like Microsoft, NVIDIA, Okta, and Vodafone in the past. The report notes that some members of the now-disbanded hacker group, The Recursion Team, may have joined Lapsus$.
Overall, Apple responded to 93% of the 1,162 emergency data requests, while Meta passed 77% of the 21,500 data requests. Hackers reportedly attacked and collected sensitive data for at least seven months beginning in January 2021.
A Meta spokesperson offered a statement to The Verge, saying the company goes through every data request for “legal sufficiency” and uses “advanced systems and processes to validate law enforcement requests and detect abuse.”
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” the spokesperson further said.
Apple also offered a statement in response to these allegations. “If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate,” a company spokesperson said.