Sensitive user data of Apple and Meta (formerly Facebook) service users was sent to hackers in mid-2021. The information, which included customer addresses and phone numbers, was shared by the companies themselves in response to alleged emergency requests made by the company. police — the problem is that the requests were false.
The case was revealed this Wednesday (30) by the Bloomberg. According to the report, Apple and Meta weren’t the only ones receiving the requests. Apparently, Snap (responsible for Snapchat) would have been targeted by the hackers, but it is not clear if the company even shared information about its users. Discord also responded to one such request.
Legal requests for data in this medium are more common than many might imagine — they usually happen when there is a criminal investigation of someone who makes use of the platforms in question.
Brian Krebs, a former Washington Post reporter and digital security expert, explained on his website that, in the United States, such requests are usually accompanied by a search warrant or subpoena signed by a judge. However, emergency requests do not require this document as they are usually life-or-death situations.
“In this scenario, the receiving company finds itself caught between two unpleasant outcomes: not immediately complying with an EDR (‘Emergency Data Request’) — and potentially having someone’s blood on their hands — or possibly leaking a record. from customer to the wrong person.”
Krebs also says that as there is no standard mechanism for this request among the various police jurisdictions (18,000 of which are in the US alone), the work of hackers ends up being made easier: “All hackers need to be successful is illicit access to a single police email account”, he concludes.
Hackers break into police systems to spoof emails
The mechanism occurs first with the invasion of government systems. By having access to e-mails from authorities, hackers pose as police officers to subpoena companies and obtain confidential information associated with their customers.
As points the Verge, there are access data for government e-mails for sale online. The authorities heard by the Bloomberg further confirm that attackers have made attacks on systems in several countries in the last year.
As we recently reported regarding the Lapsus$ group, the evidence suggests that teenage hackers are behind the false requests made to Apple and Meta. As there has been no claim of authorship yet, it is also possible that another group — the Recursion Team, which has since disbanded — is involved in this case.
The group was led by a 14-year-old from the UK. Last year, a post by the teen on a cybercrime forum advertised “Subpoena service,” which according to the post’s description offered “law enforcement data from any service.”
What do companies say?
To the VergeMeta’s director of policy and communications, Andy Stone, said the company reviews all data requests made by authorities, using “advanced systems and processes” to validate them.
“We prevent known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we did in this case,” Stone explained.
Apple, on the other hand, did not issue a specific statement for the case, but shared its law enforcement guidelines that indicate how the company proceeds in cases of legal requests:
“If a government or law enforcement agency seeks customer data in response to a government and law enforcement emergency information request, a government supervisor or law enforcement officer who submitted the government and law enforcement emergency information request of law may be contacted and asked to confirm to Apple that the emergency request was legitimate.”