Apple and Meta, Facebook’s parent company, provided customer data to hackers posing as law enforcement officials, according to people familiar with the matter.
The allegations were first reported by Bloomberg.
The tech giants reportedly provided basic subscriber information, including customer addresses, phone numbers and IP addresses in mid-2021. They provided the details in response to an “emergency data request” which had been tampered with.
These requests are normally only provided when a search warrant or subpoena is signed by a judge, the sources say. Emergency requests would apparently not require a court order.
According to cybersecurity researchers, some of the hackers who obtained the information could be minors in the UK and the US. One of these hackers is believed to lead a cybercrime group called Lapsus$, which previously hacked Microsoft, Samsung, and Nvidia, among others.
Seven hackers linked to an investigation into the group have been arrested by London police, and the investigation is still ongoing.
Bloomberg contacted Apple for comment, and the company directed reporters to its corporate law enforcement guidelines.
Under company guidelines, Apple may contact the supervisor of any law enforcement agency filing an emergency request to determine if the request is legitimate.
Meta provided the following statement to Bloomberg journalists.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we did in this case.”
Meta’s guidelines state that, upon request, it can provide user data to law enforcement if they have a “good faith reason” to believe the request involves an “imminent risk”.
“In an emergency, law enforcement may submit requests without legal process,” Meta’s guidelines state. “Depending on the circumstances, we may voluntarily disclose information to law enforcement when we have a good faith reason to believe that the matter involves an imminent risk of serious physical injury or death.”
According to Krebs on securitythe hackers had faked a request for emergency data from Discord, a social media platform used primarily by gamers and other niche communities.
Discord provided a statement at the point of sale.
“We verify these requests by verifying that they come from an authentic source, and we have done so in this case,” Discord said in the statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since investigated this illegal activity. and notified law enforcement of the compromised email account.