Apple and Meta give away customer data – media

31 Mar, 2022 00:48 / Updated 3 years ago
Tech giants reportedly served up data to hackers pretending to be law enforcement

Apple and Facebook’s parent company has been persuaded to give up customer data to hackers posing as law enforcement agents bearing phony “emergency data requests,” Bloomberg revealed on Wednesday, citing three sources allegedly familiar with the matter. The imposters fraudulently obtained information which apparently included users’ phone numbers, IP addresses, and even physical addresses.

The hackers also attempted to con Snap, the parent company of Snapchat, into coughing up the same knowledge, but it’s not clear if they were successful. Sources declined to elaborate on how many times the social media platforms in question were convinced to turn over personal details in response to the fraudulent requests.

While such data is normally only provided in response to a subpoena or search warrant, both of which would require a judge’s signature, so-called “emergency requests” require nothing of the sort, making the hackers’ task surprisingly easy. Indeed, cybersecurity researchers investigating the case believe at least some of the hackers in question are minors operating out of the US and UK.

At least one of the teenagers is thought to be the leader of Lapsus$, a cybercrime ring which has previously hacked Microsoft, Samsung, and Nvidia, according to Bloomberg’s sources. City of London police have arrested seven people in connection to the Lapsus$ probe.

Attempting to explain its eagerness to fork over customer data, Apple referred Bloomberg to a section of its enforcement guidelines stating a “supervisor for the government or law enforcement agent who submitted the request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Meta insisted it reviewed all such requests for “legal sufficiency” and claimed to use “advanced systems and processes to validate law enforcement requests and detect abuse.” 

According to spokesman Andy Stone, the company also blocks “known compromised accounts from making requests” and works with law enforcement to respond to “incidents involving suspected fraudulent requests, as we have done in this case.” 

Snap declined to comment beyond a statement pointing out that the company has safeguards to block fraudulent requests.

The social media firms are ultimately the victims of law enforcement’s lust for information, given how often such agencies request private details from online platforms. Apple provides data in response to a whopping 93% of emergency requests, while Meta reportedly accedes to 77%.

This particular scam began around January 2021, two of the sources claimed, explaining the hackers targeted tech firms via hacked email domains belonging to law enforcement agencies located in several countries, forged with the effort to make them look legitimate. Sometimes they even included real stolen signatures, which can be obtained on dark web marketplaces for as little as $10, according to Gene Yoo of cybersecurity firm Resecurity.