Apple and Facebook’s parent company Meta provided user data to hackers posing as law enforcement officials, Bloomberg reports. Sources claim that the hackers forged emergency data requests which both companies responded to. Apple and Meta handed over the home addresses, phone numbers, and IP addresses of an unknown number of users.
Apple and Meta shared user data with hackers
As Bloomberg notes, law enforcement officials regularly ask social media platforms to share information about users during criminal investigations. Typically, these requests also come with a search warrant or a subpoena signed by a judge. The point of the emergency requests is to skirt this requirement in cases of imminent danger.
Unfortunately, this opens the door to fake requests. People involved in the investigation told Bloomberg that the hacking group “Recursion Team” was behind at least some of the forged legal requests. They sent their requests to several major technology companies throughout 2021, including Apple, Meta, Snap, and Discord.
The hackers sent legal requests from hacked email domains belonging to law enforcement agencies in several countries. The fake documents looked legitimate, often including forged signatures of real or fictional officials. By hacking into those law enforcement email systems, the hackers may have been able to find and use real requests as templates as well.
Bloomberg points out that Apple and Meta publish data about compliance with emergency data requests. Apple’s data shows that it received 1,162 emergency requests from 29 countries between July and December of 2020. The company responded to 93% of those requests. Meanwhile, Meta received 21,700 emergency requests from January to June of 2021. The company responded to 77% of those requests.
How companies are responding to the report
When reached for comment, Apple referred Bloomberg to a section of its law enforcement guidelines. Here’s the section Apple referenced in its entirety:
If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate. The government or law enforcement agent who submits the Emergency Government & Law Enforcement Information Request should provide the supervisor’s contact information in the request.
Meta spokesman Andy Stone shared the following statement with Bloomberg: “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
According to Bloomberg’s sources, Recursion Team is no longer active. That said, members of the team are still at large. Some are reportedly involved with the cybercrime group Lapsus$, which has taken credit for several major hacks in recent months. And as for the data they obtained, sources say they have used it to enable harassment campaigns. The data makes it easier to bypass account security and conduct financial fraud schemes.