Apple and Meta reportedly gave user data to hackers forging requests

31 Mar 2022

Image: © Thaspol/Stock.adobe.com

The hackers, who may have links to cybercrime group Lapsus$, are said to have compromised accounts to make emergency data requests.

Apple and Facebook parent company Meta provided user data to cybercriminals last year who requested the information after pretending to be law enforcement, according to a Bloomberg report.

Three people familiar with an investigation into the matter told Bloomberg that the hackers compromised law enforcement accounts and requested sensitive user data such as a customer’s address, phone number and IP address from Apple and Meta in mid-2021.

Such requests usually require documents signed by judges or search warrants, but Bloomberg reported that special ‘emergency data requests’, like the ones the hackers used, can be made when officials require speedy access to data.

Snapchat owner Snap was also said to have been sent these forged requests, but it is not known whether the company provided user data.

Some of the hackers behind these requests are suspected to be teenagers based in the UK and US, according to cybersecurity researchers. One is believed to be the mastermind behind the cybercrime group Lapsus$.

Lapsus$ has claimed responsibility for hacks targeting tech companies including Microsoft, Okta, Samsung and Nvidia in recent months. Seven people between the ages of 16 and 21 were arrested in the UK last week in relation to the cybercrime gang.

Hackers linked to a cybercrime group called Recursion Team are believed to be behind the forged data requests. According to Bloomberg’s report, this group is no longer active but members may have gone on to join Lapsus$ under different names.

The forged requests are believed to have been sent through hacked email domains belonging to law enforcement agencies in a number of countries. One person familiar with the matter told Bloomberg that the data obtained was used for harassment, while three sources said it may primarily be used for financial fraud schemes that bypass account security.

Legal guidelines

This tactic of compromising accounts tied to law enforcement and then sending unauthorised emergency data requests is becoming more common, according to a Krebs on Security report published earlier this week.

Meta, Apple, Snap and other tech companies have strict rules about who they hand out user data to. Usually, law enforcement officials can make requests for information as part of criminal investigations – but, in the US for example, must submit an official court-ordered warrant or subpoena.

An emergency request can be submitted in certain cases involving imminent danger, which can bypass official rules and court-approved documents. But hackers may now be trying to compromise this system.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone told Bloomberg.

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

According to Apple’s legal process guidelines, if a law enforcement agency wants customer data under an emergency request, “a supervisor for the government or law enforcement agent who submitted [the request] may be contacted and asked to confirm to Apple that the emergency request was legitimate”.

Krebs on Security reported that social platform Discord was also targeted with emergency requests for customer data, at least one of which it had fulfilled.

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” the company wrote in a statement.

“While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain was a journalist with Silicon Republic

editorial@siliconrepublic.com