Apple and Meta shared data with child hackers pretending to be law enforcement

The two tech companies are believed to have provided hacker groups with user information as part of the impersonation.

It was revealed on March 30 that both Apple and Facebook parent company, Meta, were duped by child hackers impersonating law enforcement officers last year, according to a report from Bloomberg. The two companies allegedly responded to emergency data requests from customers and unwittingly provided personal information such as addresses, phone numbers and even IP addresses of customers with these unknown parties in the process.

The group behind the phony emergency requests were believed to be minors located in the U.S. and U.K., with one reported to be aligned with one of two hacking groups, known as Recursion Team or Lapsus$. Lapsus$ is a South America-based collective rumored to be behind cyberattacks against tech companies like Microsoft, Samsung and Nvidia. It is still unknown at this time whether Lapsus$ or Recursion Team were behind the impersonation of law enforcement.

“Hackers are becoming smarter about how they obtain information from large organizations,” said PJ Norris, principal systems engineer at cybersecurity company Tripwire. “It’s easy to see how information can be disclosed in this manner. As hackers become smarter, organizations need to step up and ensure there are water tight processes in place and to be one step ahead.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How the attacks happened

According to Bloomberg’s report, the requests for emergency data began as early as January of 2021, and the fake legal requests were believed to be legitimate after having been signed by made-up law enforcement officials. The forged documents were then sent to Meta and Apple via fake email addresses from governmental bodies based in different countries.

Typically in the U.S., requests for personal information of this kind are only available via a search warrant or subpoena signed by a judge, but emergency data requests circumvent this requirement. As of now, other tech companies may have been subject to this form of attack, but the two tech giants in Apple and Meta have been specifically outed as victims.

“When we hear of big organizations such as Apple & Meta succumbing to fake emergency requests, leading to a data breach of highly sensitive information, we have to wonder how the message about rigorous data security gets missed or overlooked by those who gather, process, and store our data,” said Erfan Shadabi, cybersecurity expert with data security specialists comforte AG. “But any organization, big or small, and no matter the industry they operate in, can become the next victim of a cyber attack. The harsh truth is this: threat actors will find a way to your organization’s data given enough time and incentive, no matter how fortified your digital environment is.”

Snap, the company behind app Snapchat, was also believed to be contacted as part of the ruse, with it still being unknown at this time if the company surrendered any user information as part of the attempted forgery.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesperson Andy Stone said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”