Tech companies Apple and Meta, the parent company of Facebook, have given the addresses, phone numbers and IP addresses of customers to criminals impersonating law enforcement officers, Bloomberg reports based on three precursors. By sharing this data, people may have been harassed and deceived.
Before tech companies in the US disclose customer data to law enforcement agencies, a court order is usually required. This is unnecessary in the event of an emergency request, because of the imminent danger which usually forms the basis of such a request.
A group of hackers copied such emergency requests and sent them to several technology companies. Snapchat’s parent company also received such requests, but did not respond. It is unclear how many requests the hackers sent in total and how many cases they were successful in.
According to many experts, the requests were sent by underage hackers in the United States and the United Kingdom, as Bloomberg wrote. They are said to be members of the $Lapsus group that hacked, among others, Microsoft and Samsung. Last week, seven people were arrested in London on suspicion of belonging to Lapsus$.
Sources told Bloomberg that the hackers sent the requests through the hacked email addresses from law enforcement agencies in several countries. When hacking mail servers, criminals may have seen real documents containing emergency requests, after which they can be forged.
In a response to Bloomberg, Apple said the person who made the request “may be contacted and asked to confirm that the emergency request was legitimate.” Apple does not comment materially on the reporting of customer data exchange. Meta says that they “evaluate each request for data for legal suitability and use advanced systems and processes to validate law enforcement requests and detect abuse.”
“Professional web ninja. Certified gamer. Avid zombie geek. Hipster-friendly baconaholic.”