According to a report by Bloomberg, Apple and Meta leaked user data to hackers who forged emergency data-request instructions usually sent by law enforcement agencies. The slip-up happened in mid-2021 when both companies fell for the fake requests and leaked information about users’ IP addresses, phone numbers, and home addresses.
Law enforcement officials often solicit data from social platforms in the context of criminal investigations to obtain information about the owner of a particular online account. While these requests require a subpoena or search warrant signed by a judge, emergency data requests do not – and are intended for cases involving life-threatening situations.
Fake emergency data requests are becoming increasingly common, as explained in a recent report by Krebs on Security. In an attack, hackers must first gain access to a police station’s email systems. The hackers can then fake an emergency data request describing the potential danger of not providing the requested data immediately while posing as a police officer. According to Krebs, some hackers are selling access to government emails online, specifically with the aim of attacking social platforms with fake emergency data requests.
Fake emergency data requests are most commonly made by teenagers
As Krebs notes, most of the bad actors performing these fake requests are actually teenagers — and according to Bloomberg, cybersecurity researchers believe the teenage mastermind behind the Lapsus$ hacking group could be involved in this type of scam. London police have since arrested seven teenagers in connection with the group.
But last year’s series of attacks may have been carried out by members of a cybercriminal group called the Recursion Team. Although the group has disbanded, some of them have joined Lapsus$ under different names. Officials involved in the investigation told Bloomberg that over the course of several months from January 2021, hackers accessed law enforcement agency accounts in several countries and targeted many companies.
“We review every data request for legal appropriateness and use advanced systems and processes to validate law enforcement requests and detect abuse,” said Andy Stone, Meta’s policy and communications director, in a statement emailed to The Verge. “We block known compromised request accounts and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case.”
When asked for comment, Apple referred The Verge to its law enforcement policy, which states, “When a government or law enforcement agency requests customer information in response to an emergency government and law enforcement request, a government supervisor or law enforcement officer will be assigned the who submitted the emergency request for government and law enforcement agencies may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Meta and Apple aren’t the only well-known companies hit by fake emergency data requests. According to Bloomberg, hackers also contacted Snap with a fake request, but it’s not clear if the company complied. Krebs on Security’s report also includes confirmation from Discord that the platform disclosed information in response to one of these fake requests.
“This tactic poses a significant threat to the entire tech industry,” said Peter Day, group manager for corporate communications at Discord, in a statement emailed to The Verge. “We continually invest in our Trust & Safety capabilities to address emerging issues like this.”
Snap did not immediately respond to a request for comment from The Verge.
Update March 30 9:24pm ET: Updated to include an explanation from a Discord speaker.