Apple and Meta duped into giving away customer data

Apple and Facebook’s parent company Meta were persuaded to give up customer data to hackers posing as law enforcement agents bearing phony “emergency data requests,” Bloomberg revealed on Wednesday, citing three sources familiar with the matter. The fraudulently obtained information allegedly included users’ phone numbers, IP addresses, and even physical addresses.

The hackers also attempted to con Snap, the parent company of Snapchat, into coughing up the same data, but it’s not clear if they were successful. Sources declined to elaborate on how many times the social media platforms in question were convinced to turn over information in response to the fraudulent requests.

While such information is normally only provided in response to a subpoena or search warrant, both of which would require a judge’s signature, so-called “emergency requests” require nothing of the sort, making the hackers’ task surprisingly easy. Indeed, cybersecurity researchers investigating the case believe at least some of the hackers in question are minors operating out of the US and UK.

At least one of the minors is thought to be the leader of Lapsus$, a cybercrime ring which has previously hacked Microsoft, Samsung, and Nvidia, according to Bloomberg’s sources. City of London police have arrested seven people in connection to the Lapsus$ probe.

Attempting to explain its eagerness to fork over customer data, Apple referred Bloomberg to a section of its enforcement guidelines stating a “supervisor for the government or law enforcement agent who submitted the request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Meta insisted it reviewed all data requests for “legal sufficiency” and claimed to use “advanced systems and processes to validate law enforcement requests and detect abuse.” 

According to spokesman Andy Stone, the company also blocks “known compromised accounts from making requests” and works with law enforcement to respond to “incidents involving suspected fraudulent requests, as we have done in this case.” 

Snap declined to comment beyond a statement pointing out that the company has safeguards to block fraudulent data requests.

The social media firms are ultimately the victims of law enforcement’s lust for data, given how often such agencies request information from online platforms. Apple provides data in response to a whopping 93% of emergency requests, while Meta reportedly responds with data to 77%.

This particular scam began around January 2021, two of the sources claimed, explaining the hackers targeted tech firms via hacked email domains belonging to law enforcement agencies located in several countries, forged with the effort to make them look legitimate. Sometimes they even included real stolen signatures, which can be obtained on dark web marketplaces for as little as $10, according to Gene Yoo of cybersecurity firm Resecurity. 

© 2022, paradox. All rights reserved.