Apple and Meta, Facebook’s parent company, gave customer details to hackers posing as law enforcement officials, according to sources close to the issue.
The claims were first reported by Bloomberg.
The tech giants reportedly provided basic subscriber data, including customer addresses, phone numbers and IP addresses, in mid-2021. They provided the details in response to a fake “emergency data request”.
These requests are usually made only when a search warrant or subpoena is signed by a judge, the sources said. The emergency calls reportedly do not require a court order.
According to cybersecurity researchers, some of the hackers who obtained the information could be minors in the UK and US. One of these hackers is said to be the head of a cybercrime group called Lapsus$, which has previously hacked Microsoft, Samsung and Nvidia, among others.
Seven hackers linked to investigations into the group have been arrested by London Police and investigations are ongoing.
Bloomberg reached out to Apple for comment, and the company referred reporters to its corporate law enforcement policies.
In accordance with company policy, Apple may contact the supervisor of any law enforcement agency that makes an emergency request to determine if the request is legitimate.
Meta provided the following explanation Bloomberg Reporter.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesperson Andy Stone told the outlet. “We block known compromised request accounts and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case.”
Meta’s policy states that it can provide user information to law enforcement agencies upon request if they have a “good faith reason” to believe the request involves an “imminent risk.”
“In emergencies, law enforcement agencies may make requests without a trial,” Meta’s policy reads. “Due to the circumstances, we may voluntarily release information to law enforcement when we have a good faith belief that the matter presents an imminent risk of serious personal injury or death.”
Accordingly cancer over safetythe hackers had faked an emergency data request from Discord, a social media platform mostly used by gamers and other niche communities.
Discord issued a statement to the outlet.
“We verify these requests by verifying that they are from a genuine source, and in this case we have done so,” Discord said in the statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”