Apple and Meta (Facebook), two of the world's largest technology companies, shared their users' private information, such as addresses, phone numbers and IP addresses, to hackers who posed as police officers, as reported by Bloomberg, who has had access to details of the ongoing investigation. The two companies fell for the trap in mid-2021, thinking that the “emergency data request” sent by cybercriminals was real.
The emergency data request (EDR) is a kind of legal procedure that can be used by security agents in order to obtain the necessary information from a user to be able to carry out an investigation. This type of request does not require a court order, since it is considered urgent and is made, in most cases, when there is a life or death situation. Apple, Meta and other companies are forced to share this data once they verify that the request is real.
Both Apple and Meta, in fact, seem to have a rigorous system to verify that the process is legitimate. “We review each data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone told the outlet. But how could they have provided data to a bogus request?
Accept or reject the request, a life or death decision
According to investigations, hackers may have sent the fake emergency data requests via real police addresses. Falsifying, in addition, the signatures of the agents. Accessing internal police systems seems like a simple task for cybercriminals, and the practice of sending data requests in order to obtain information from users is, according to Krebs on Security, “highly effective.” Mainly, because the affected companies —such as Apple and Meta, in this case— are forced to accept a request of these characteristics when considering that the life of one or more people may be at risk.
It is not the first time that this method has been used to obtain private information from users who use a platform. According to Bloomberg, the practice of forging “emergency data requests” began in January 2021, targeting a wide variety of companies operating in the technology sector. Snap Inc. (Snapchat's parent company) also appears to be one of those affected. However, it is unclear whether the company ultimately accepted the request and shared its users' data with the hackers.
Even so, Meta, Apple, and other companies that can suffer this type of attack or that have already been involved in similar scams, have different security measures to avoid future incidents.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Andy Stone, Meta Spokesperson
Who is behind the Apple and Meta hack?
Everything indicates that the attack on Apple and Meta was organized by a team of teenage hackers and minors located in the United States and the United Kingdom. The team called itself 'Recursion Team' when they started this practice, but according to investigations, it would currently be dissolved.
Many of the members now seem to be part of LAPSUS$, the “Latin American” team that hacked Nvidia, Microsoft, Okta, Samsung or Mercado Libre. Interestingly, the London Police arrested seven members of the group just a few days ago. One of them, the alleged leader of LAPSUS $ and who could also be involved in hacking different companies through the request for emergency data, is 16 years old and lives with his parents in Oxford
