Apple and Meta, Facebook's parent company, provided user data to hackers pretending to be cops. User data provided includes IP address, phone number and home address.
This incident occurred in mid-2021. Law enforcers may indeed request user data from social media platforms related to criminal investigations to find out who the owner of the account is looking for.
Such requests usually require a summons or a search warrant from the court. But the letters are not needed for emergency data requests and are intended for cases involving life-threatening situations.
According to a recent report by Krebs on Security, fake data requests are becoming more and more common. Usually, hackers have to access the police email system first.
The hacker then made a fake emergency data request letter while pretending to be a member of the police force. According to Krebs, some hackers have even sold access to government emails online specifically aimed at soliciting user data on social media.
Krebs said most of the hackers who carried out these attacks were teenagers. Even according to a Bloomberg report, the mastermind behind the Lapsus$ hacker syndicate may be involved in this type of fraud.
But the series of attacks launched last year is believed to have been carried out by a cybercrime group called the Recursion Team. Although the group has disbanded, some of its members have joined Lapsus$ using other names.
Although they did not directly confirm that user data fell into the hands of hackers, Apple and Meta both explained how they handled emergency data requests.
"We review each data request for legal adequacy and use advanced systems and processes to validate law enforcement requests and detect abuse," said Policy and Communications Director Meta Andy Stone, as quoted by The Verge, Friday (1/4/2022).
"We block compromised accounts from making requests and work closely with law enforcement to respond to incidents involving fraudulent requests, as we have done in this case."
Meanwhile, Apple is directing Bloomberg to their law enforcement guidelines. According to company guidelines, Apple will contact the regulatory agency that made the emergency data request to determine whether the request is genuine.
In addition to Apple and Meta, Bloomberg said hackers also provided Snap a fake emergency data request letter, but it's not known if they gave users personal data.
This Krebs report also reveals that Discord provided user information after receiving one of these bogus requests.
"This tactic poses a significant threat across the technology industry. We are continuing to invest in our Trust & Safety capabilities to address new issues like these," said Discord's Group Manager for Corporate Communications Peter Day.