Both companies received fake requests from hackers posing as law enforcement.
Failing to attack the platforms and products of the tech giants, hackers have found a less elaborate way to deceive them. And the trick is as old as the world: pretending to be someone else.
Apple (AAPL) – Get Apple Inc. Report and Meta Platforms (FB) – Get Meta Platforms Inc. Class A Report, formerly Facebook, have just learned a hard lesson.
The story is so odd because the theft seems simple while the computers-and-iPhones and social-media companies have invested billions of dollars in security to counter cyberattacks and ensure that customer data does not fall into the hands of criminals or blackmailers.
One of Apple’s marketing arguments for many years has been the ultrasecurity of its iOS operating system. Regular updates enable the company to quickly close any system vulnerability.
But the story is deadly serious because it’s about stealing data from Apple and Facebook users.
What Did the Hackers Do?
Hackers posing as law enforcement have requested information about users of both companies, according to Bloomberg. Apple and Meta provided the requested data.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.”
Normally, such requests are provided only with a search warrant or subpoena signed by a judge, Bloomberg said, citing people familiar with the matter. But emergency requests don’t require a court order.
The information the hackers obtained using the forged legal requests has been used to enable harassment campaigns, per the report. It may be used primarily to facilitate financial fraud schemes. The hackers can use a victim’s information to attempt to bypass account security.
Apple and Meta have neither confirmed nor denied the Bloomberg report.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesperson Andy Stone told TheStreet in an email statement.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Meta, however, does not say whether the group blocked the request when it was made or after information was shared with the hackers.
A Trick Played by Minors
Apple for its part referred TheStreet to its Law Enforcement Guidelines.
“If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the 18-page document says.
“The government or law enforcement agent who submits the Emergency Government & Law Enforcement Information Request should provide the supervisor’s contact information in the request.”
But the group led by Chief Executive Tim Cook does not say whether Apple carried out these checks when the hackers asked for the data.
Snap (SNAP) – Get Snap, Inc. Class A Report has received similar requests from bogus law enforcement, but it’s unclear whether the social network has responded favorably. Snap did not immediately respond to a request for comment from TheStreet.
The trick played on Apple and Meta is part of a long campaign targeting technology groups since 2021.
Some of the hackers could be U.K. and U.S. teenagers hiding behind the cybercrime group Lapsus$. Microsoft (MSFT) – Get Microsoft Corporation Report confirmed last week that it had become the latest victim of the data extortion group Lapsus$, which claimed it had obtained source code for the Bing search engine and Cortana voice assistant.
Lapsus$ posted a partial file that the group said contained partial source code for Bing and Cortana. The group claimed on its Telegram channel that it had breached Microsoft and Okta (OKTA) – Get Okta, Inc. Class A Report and employee accounts of LG Electronics.
The mastermind of the group, which also hacked chipmakers Nvidia (NVDA) – Get NVIDIA Corporation Report and Samsung, (SSNLF) is allegedly a 16-year-old boy living with his parents near Oxford, England, British authorities said last week.
Lapsus$, Microsoft said in a post, “is known for using a pure extortion and destruction model without deploying ransomware payloads.”
