Apple and Meta allegedly shared user data with a hacker group that masqueraded as law enforcement officials, according to a new report from Bloomberg.
Citing three sources close to the matter, the report claims that the malicious actors used legitimate email accounts that had been compromised to send forged legal requests for information. The requests were apparently convincing enough to fool Apple and Meta into providing the information, which includes customer addresses, phone numbers and IP addresses.
Discord and Snap were also targeted, adds Krebs on Security. The former reportedly handed over “the Internet address history of Discord accounts tied to a specific phone number". As for the latter, it has yet to be known whether any data was shared.
Tech companies that deal with sensitive user information usually only provide them when a search warrant or subpoena from a judge is presented. In this case, however, the forged requests were emergency requests, so Apple and Meta likely complied without asking further questions. Emergency requests are typically made when there's imminent danger or harm.
Meta claims that safeguards are in place to detect abuse and protect users' sensitive information. "We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” said Andy Stone, Meta Spokesperson.
Discord also acknowledged the incident, confirming that a legitimate law enforcement domain placed a legal request and they complied in accordance with their policies. "While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor," said Discord. "We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
Apple and Snap, meanwhile, didn't comment on the incident. Both pointed to their company guidelines, which state that they verify the legitimacy of requests for access to user data.
Security researchers believe the cybercrime group "Recursion Team" could be behind the scheme as they were also linked to a similar scheme last year. Some of the hackers are reportedly minors residing in the U.S. and the U.K., with at least one also involved with the Lapsus$, the same group that recently stole source codes from Microsoft, Samsung and Okta.
Apple and Meta allegedly shared user data with a hacker group that masqueraded as law enforcement officials.
The malicious actors used legitimate email accounts that had been compromised to send forged emergency requests for information.
Apple and Meta reportedly shared basic customer information, such as customer addresses, phone numbers and IP addresses.
Meta claims safeguards are already in place to detect any sign of abuse, while Apple didn't comment on the incident.