Apple and Meta Gave Hackers User Data by Forging Requests

The hackers– who may have links to cybercrime group Lapsus$ – are said to have compromised accounts to make emergency data requests on people's accounts that are using Apple and Facebook services.

Apple and Facebook parent company Meta provided user data to cybercriminals last year who requested the information by pretending to be law enforcement agencies, according to a Bloomberg report.

Three people familiar with an investigation into the matter told Bloomberg that the hackers compromised law enforcement accounts. This allowed them to request sensitive user data such as a customer’s address, phone numbers, and IP address from Apple and Facebook around mid-2021.

Such requests usually require documents signed by a judge or even a search warrant. Bloomberg reported that special ‘emergency data requests’, like the ones the hackers are rumored to use, can be made when officials require speedy access to data in case of an emergency.

Snapchat owner Snap was also said to have been sent these forged requests, but it is not known whether the company ended up providing the user data.

Some of the hackers behind these requests are suspected to be teenagers based in the UK and US, according to cybersecurity researchers. One is also believed to be the mastermind behind the cybercrime group Lapsus$.

Lapsus$ has claimed responsibility for hacks targeting tech companies including the following such as Microsoft, Okta, Samsung and Nvidia in recent months. There is rumored that there are seven people between the ages of 16 and 21 were arrested in the UK last week in relation to the cybercrime gang.

Hackers linked to a cybercrime group called Recursion Team are believed to be behind the forged data requests. According to Bloomberg’s report, this group is no longer active but members may have ended up joining Lapsus$ under different names.

The forged requests are believed to have been sent through hacked email domains belonging to law enforcement agencies in a number of countries. One person familiar with the matter told Bloomberg that the data obtained was used for harassment, while three sources said it may primarily be used for financial fraud schemes that bypass account security.

This tactic of compromising accounts tied to law enforcement and then sending unauthorized emergency data requests is becoming more and more common, according to a Krebs on Security report published earlier this week.

Meta, Apple, Snap and other tech companies have strict rules about who they hand out user data to. Usually, law enforcement officials can make requests for information as part of criminal investigations – but, in the US for example, must submit an official court-ordered warrant or subpoena.

An emergency request can be submitted in certain cases involving imminent danger, which can bypass official rules and court-approved documents. But even then the hackers may now be trying to compromise this system.

Meta spokesman Andy Stone told Bloomberg the following.

We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.

According to Apple’s legal process guidelines, if a law enforcement agency wants customer data under an emergency request.

A supervisor for the government or law enforcement agent who submitted [the request] may be contacted and asked to confirm to Apple that the emergency request was legitimate.

Krebs on Security reported that social platform Discord was also targeted with emergency requests for customer data, at least one of which is known to have been fulfilled.

Discord Representatives said the following statement.

We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.