Apple and Meta handed over user data to hackers who misrepresented law enforcement’s emergency data request orders. Both companies fell for the blatantly fake requests and provided information about users’ IP addresses, phone numbers, and home addresses.
Law enforcement officials frequently request data from social media platforms during criminal investigations. Emergency data requests, on the other hand, do not require a judge-signed subpoena or search warrant. Since those fraudulent requests were filed as “emergency data requests,” no search warrants were required.
But Meta claims to have done its math.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” a spokesman said. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Fake emergency data requests are becoming more prevalent, according to a recent Krebs on Security report. According to Krebs, some hackers are selling access to government emails online to target social media platforms with fake emergency data requests.
According to Bloomberg, cybersecurity researchers believe the mastermind behind this attack could be a cybercriminal group called Recursion Team, affiliated with Lapsus$, a group of hackers known for hacking Microsoft.
Meta and Apple aren’t the only companies known to have been targeted by fake emergency data requests. Hackers also contacted Snap with a forged request, but it’s unclear whether the company followed through. The report from Krebs also includes confirmation from Discord that the platform gave away information in response to one of these false requests.
“This tactic poses a significant threat across the tech industry,” Peter Day, Discord’s group manager for corporate communications, said. “We are continuously investing in our Trust & Safety capabilities to address emerging issues like this one.”