According to a report by Bloomberg Apple and Meta (Formerly Facebook) have handed over customer data to hackers who misrepresented themselves as law enforcement. The report is citing three people who are familiar with the matter.
The information that was provided to hackers included basic information about the user that includes address, phone number and IP address. The breach took place in mid-2021 when hackers forged “emergency data requests”, which are normally submitted with a search warrant or subpoena signed by a judge. Such requests don’t require a court order when submitted as emergency notes Bloomberg.
Other companies that includes Snap (Snapchat) also received forged legal request for user data, however it is currently unknown whether Snap obliged such requests or not.
Cybersecurity experts believe the forged requests might have been sent by cybercrime group known as Lapsus$, which consists of minors from U.K. and U.S. One member of this group is known to have previously hacked big corporations including Microsoft, Nvidia and Samsung.
When asked about the incident Apple referred Bloomberg to its law enforcement guidelines section, which state that government or law enforcement agent who submitted a request to Apple may be contacted and asked to confirm to Apple that the emergency request is legitimate.
According to people familiar with the inquiry user data that was acquired by hackers using forged legal requests is known to have been used for harassment campaigns. It has also been used to facilitate financial fraud schemes and attempting to bypass a user’s account security.
Apple accepts legal requests for user data at an apple.com email address, “provided it is transmitted from the official email address of the requesting agency,” according to Apple’s legal guidelines.
Hackers went to great lengths to make the forged requests seem legitimate. This includes forging signatures of law enforcement officers and compromising email systems for law enforcement. The email sent to companies also came from hacked email domains that belonged to law enforcement agencies in various countries.