[BreachExchange] Apple, Meta turned over user data to hackers using forged requests: report

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Thu Mar 31 09:38:28 EDT 2022


https://www.msn.com/en-us/news/politics/apple-meta-turned-over-user-data-to-hackers-using-forged-requests-report/ar-AAVGIsj

Apple and Facebook parent company Meta turned over user data last year to
hackers pretending to be law enforcement officials, Bloomberg reported,
citing three people familiar with the matter.

The companies provided user details such as addresses, phone numbers and IP
addresses in mid-2021 to the hackers, sources told Bloomberg. The hackers
had requested the information via forged "emergency data requests," which
do not require court approval like typical warrants or subpoenas do.

It's unclear how much data was turned over.

Apple received 1,162 emergency requests from 29 countries between July and
December 2020 and turned over data for 93 percent of those, Bloomberg
noted. Meta received 21,700 emergency requests from January to June 2021
and turned over data for 77 percent of those requests.

Facebook has been scrutinized for its handling of user data for years
following reports that Cambridge Analytica obtained data on tens of
millions of the platform's users.

In a statement obtained by The Hill, Meta spokesperson Andy Stone said, "We
review every data request for legal sufficiency and use advanced systems
and processes to validate law enforcement requests and detect abuse."

"We block known compromised accounts from making requests and work with law
enforcement to respond to incidents involving suspected fraudulent
requests, as we have done in this case," he said.

An Apple spokesperson pointed The Hill to guidelines that law enforcement
agencies seeking customer data may be contacted to confirm the request was
legitimate.

"The government or law enforcement agent who submits the Emergency
Government & Law Enforcement Information Request should provide the
supervisor's contact information in the request," the guidelines read.

The hackers may have been involved with cyber crime groups Recursion Team
or Lapsus$, three people involved in the investigation told Bloomberg.

Lapsus$, a South American hacking group, was responsible for hacking
Microsoft, Okta, NVIDIA and Vodafone earlier this year.

The user data may have been used to engage in financial fraud schemes,
sources told Bloomberg. One person familiar told the outlet that the
information has been used for harassment campaigns.

Cybersecurity blog Krebs on Security reported on Tuesday that criminal
hackers are now using illegal access to police email systems to send fake
emergency data requests in order to obtain private data.

Hackers using this method will send fake requests to companies and claim
that if the data they ask for isn't provided immediately, innocent people
will be subjected to significant suffering or death, according to the blog.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220331/6fe99ea6/attachment.html>


More information about the BreachExchange mailing list