Apple and Meta provided user data to hackers spoofing as law enforcement officials

• Hackers compromised email domains of law enforcement agencies in multiple countries

• User data was used to enable harassment, may aid financial fraud

Apple Inc (NASDAQ: AAPL) and Facebook’s parent company Meta Platforms Inc (NASDAQ: FB) provided user data to hackers who impersonated law enforcement officials.

The two tech giants gave away basic user details, including address, phone number, and IP address, in mid-2021 in response to the forged “emergency data requests,” Bloomberg reported on Wednesday, citing people familiar with the matter.

Generally, data requests are provided to the law enforcement officials after submitting a search warrant or subpoena signed by a judge; the emergency requests don’t require a court order, the report said.

Bloomberg reported that Snap Inc (NASDAQ: SNAP) also received a forged legal request from the same group of hackers, but it is unknown whether the company provided data in response.

ALSO READ: Okta says service fully operational, no signs of breach

It’s also unclear how often the companies provided data prompted by forged legal requests. 

An Apple representative referred to the company guidelines, which state that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Andy Stone, a spokesperson at Meta, in a statement, said the company review requests “for legal sufficiency and use advanced systems and processes to validate” and detect abuse.

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

A spokesperson for Snap told Bloomberg that the company has safeguards to detect fraudulent requests from law enforcement.

ALSO READ: Google to buy cybersecurity firm Mandiant for $5.4 billion

Krebs on Security, a cybersecurity investigative website on Tuesday, reported that the social media platform Discord was another victim of the forged request.

In a statement to Bloomberg, Discord confirmed that it had fulfilled a forged legal request and said, “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

Link to hacking group

A source told Bloomberg that the data obtained by the hackers had been used to enable harassment campaigns, while the other three sources expect the data to facilitate financial fraud schemes. 

The report said fraudulent data requests were a part of a months-long campaign that targeted many tech companies began in January 2021.

A person investigating the matter and three others confirmed to the news outlet that forged requests were sent via hacked email domains of law enforcement agencies in multiple countries.

Sources involved in the investigation told Bloomberg that hackers affiliated with a cybercrime group, “Recursion Team,” are believed to be involved in the forged legal requests.

ALSO READ: Samsung confirms company data, source code breach

Although Recursion Team is no longer active, many of its members are now a part of another hacking group Lapsus$, the report said.

Bloomberg reported cybersecurity researchers suspect some of the Lapsus$ members were involved in the crime, and they are minors located in the U.K. and the U.S. 

Lapsus$ was involved in hacking Microsoft Corp (NASDAQ: MSFT), Nvidia Corp (NASDAQ: NVDA), and Samsung Electronics Co, the report said.

London police have recently arrested seven people in connection with an investigation into the Lapsus$.

Picture Credit: Forbes