Apple and Meta were scammed by hackers into providing sensitive data using an order law enforcement authorities typically use.
A report from Bloomberg mentioned that the two tech giants handed over sensitive data to hackers last year through a fake emergency data request.
The hacks may have been executed by members of a cybercriminal group that appear to have been disbanded last year, per The Verge.
Apple and Meta Data Scam Details
According to Bloomberg's sources who requested anonymity, the scam happened in mid-2021, when Apple and Meta received the fake emergency data requests.
Apple and Meta, believing the fake emergency requests to be legitimate, handed over sensitive information to the hackers, which were made up of users' IP addresses, phone numbers, and home addresses.
Sources said these requests were normally issued with a search warrant or judge-signed subpoena if they were not urgently needed. However, they said that a court order is not necessary for emergency data requests as they usually involve life-threatening situations.
Law enforcement issues data requests, emergency or otherwise, to social media platforms to obtain information about the owner of a specific account in an investigation.
Krebs on Security reported that hackers must first access a police department's email systems for them to create a fake emergency data request, all while impersonating a law enforcement officer. Some hackers were even found to be selling access to government emails online to forge fake emergency requests for social media platforms.
The hacks were said to be carried out by White, the teenager mastermind behind the recent Lapsus$ attacks on NVIDIA, Ubisoft, Microsoft, and Okta. The teenage hacker was a founding member of the "Recursion team" cybercriminal group, a group in which he was known as "Everlynn."
White was 14 years old when he and his co-hackers founded Recursion Team. He was also found to be selling access to a government email he said could be used to send subpoenas to companies like Apple, Uber, Instagram, and others.
White, along with six other teenagers with connections to Lapsus$, were arrested by British law enforcement officials last week.
Apple's and Meta's Response
Andy Stone, Meta's policy and communications director, responded to The Verge's inquiries, saying that Meta "reviews every data request" for legal sufficiency and uses advanced systems and processes to validate law enforcement requests and detect abuse.
"We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case," Stone added.
The Verge also asked Apple for a comment regarding the scam, to which the Cupertino-based company responded with a redirect to its law enforcement guidelines, which state: "If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information request may be contacted and asked to confirm to Apple that the emergency request was legitimate."