Apple and Meta Handed Over User Data To Hackers Thinking They were Law Enforcement Officials
No one can guarantee the safety of your data. When saying this, we mean literally no one. For instance, it turns out that even the tech giants such as Apple and Meta can’t keep the data of their users safe. As Bloomberg reports, these two handed over user data to hackers. The incident happened in mid-2021 when hackers faked emergency data request orders. Usually, law enforcement officials send such orders. The transferred data included IP addresses, phone numbers, and home addresses.
How The Mechanism Works
That’s not a secret that law enforcement officials request data from social platforms quite frequently. They need data for criminal investigations. By using data, they are able to obtain information about the owner of a specific online account. Of course, in most cases, such requests require a subpoena or search warrant signed by a judge. But in emergency cases, they can bypass this rule. Hackers were using this situation to get their hands on the data they need.
Though we mention only one case happened with Apple and Meta, similar fake emergency data requests are quite common. There is a special algorithm to get data. Say, they need to gain access to a police department’s email systems. Afterward, they forge an emergency data request. In the latter, the hackers describe the potential danger. They can even say that the requested data wasn’t sent correctly. So they require another one.
What’s more interesting, in the vast majority of similar cases, the bac actors are teenagers. However, this is not the case. The attack was performed by the members of a cybercriminal group called Recursion Team. The hackers have gained access to accounts of law enforcement agencies in numerous countries. Also, they were targeting many firms starting in January 2021.
User Data Leak Everywhere
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Andy Stone, Meta’s policy and communications director, said in an emailed statement to The Verge. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
In this regard, The Verge has tried to get some comments from Apple on the case. But what the Cupertino-based company said was its law enforcement guidelines.
“If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
In the past, hackers have used fake emergency data requests to attack other companies as well. Something similar has happened with Snap and Discord.
“This tactic poses a significant threat across the tech industry,” Peter Day, Discord’s group manager for corporate communications “We are continuously investing in our Trust & Safety capabilities to address emerging issues like this one.”