Apple, Meta gave user data to hackers pretending to be police officials

Apple, Meta and Discord handed over user data to hackers who pretended to be law enforcement officials. According to a Bloomberg report, the slip-up took place in mid-2021 with the three companies providing information such as customer address, phone number and IP address in response to ‘emergency data requests’.

Under normal circumstances, law enforcement agencies in the US are required to provide a search warrant or subpoena signed by a judge in order to request information from tech companies. However, the emergency requests don’t require a court order. Emergency Data Requests or EDRs bypass this mechanism and they allow officials to request data from the social media companies and other tech firms. However, EDRs are requested only in life-threatening situations only.

But now hackers are sending fake EDRs to tech companies by masquerading as law enforcement officials. Krebs on Security notes that some hackers have figured out there is no easy way for a company receiving an EDR to determine if it is legitimate. And so, hackers are using their illicit access to police email systems, to send a ‘fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately’. The report also says that some hackers are selling access to government emails online with the purpose of targeting social platforms with fake EDRs.

The security firm suspects teenagers to be behind these attacks. Krebs says that teenage hacker groups such as Lapsus$ and Recursion Team are behind a majority of these fake EDRs. The publication quoting several security researchers said that the leader of Lapsus$, a hacker called ‘White’, was also a founding member of a cybercriminal group called Recursion Team. This groups specialised in SIM swapping frauds and ‘swatting’ attacks, wherein hackers use fake bomb threats, hostage situations and other violent scenarios to trick police officials into visiting potentially harmful website, which in turn leads to their credentials being compromised. These compromised credentials are sometimes sold on the dark web and in other cases they are used for sending fake EDRs to companies.

The UK Police has arrested seven teenagers in the UK in connection with the Lapsus$ attacks on Microsoft, Nvidia, Samsung, Ubisoft and Okta.

Notably, Apple, Meta and Discord aren’t the only companies that received fake EDRs. The Bloomberg report says that Snap also received a fake EDR from the same hackers. But it remains unknown if the company provided data in response.
Responding to the matter, Meta said that it did its due diligence in validating such requests. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” it told the publication.

“If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate,” Apple says in its guidelines.

The post Apple, Meta gave user data to hackers pretending to be police officials appeared first on BGR India.