Apple and Facebook’s parent company Meta were persuaded to give up customer data to hackers posing as law enforcement agents bearing phony “emergency data requests,” Bloomberg revealed on Wednesday, citing three sources familiar with the matter. The fraudulently obtained information allegedly included users’ phone numbers, IP addresses, and even physical addresses.
The hackers also attempted to con Snap, the parent company of Snapchat, into coughing up the same data, but it’s not clear if they were successful. Sources declined to elaborate on how many times the social media platforms in question were convinced to turn over information in response to the fraudulent requests.
While such information is normally only provided in response to a subpoena or search warrant, both of which would require a judge’s signature, so-called “emergency requests” require nothing of the sort, making the hackers’ task surprisingly easy. Indeed, cybersecurity researchers investigating the case believe at least some of the hackers in question are minors operating out of the US and UK.
At least one of the minors is thought to be the leader of Lapsus$, a cybercrime ring which has previously hacked Microsoft, Samsung, and Nvidia, according to Bloomberg’s sources. City of London police have arrested seven people in connection to the Lapsus$ probe.
Attempting to explain its eagerness to fork over customer data, Apple referred Bloomberg to a section of its enforcement guidelines stating a “supervisor for the government or law enforcement agent who submitted the request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Meta insisted it reviewed all data requests for “legal sufficiency” and claimed to use “advanced systems and processes to validate law enforcement requests and detect abuse.”
According to spokesman Andy Stone, the company also blocks “known compromised accounts from making requests” and works with law enforcement to respond to “incidents involving suspected fraudulent requests, as we have done in this case.”
Snap declined to comment beyond a statement pointing out that the company has safeguards to block fraudulent data requests.