Apple Inc. and Facebook’s parent company fell for an email scam and turned some user data to phony law enforcement officials, a bombshell new report said.
Cybercriminals who used hacked domains belonging to multiple law enforcement agencies made bogus “emergency requests” for certain users’ information, Bloomberg News reported on Wednesday.
The companies handed over basic data like phone numbers, home addresses and IP addresses, according to Bloomberg, which cited sources.
That data could then be used by hackers to unleash harassment campaigns or to try to launch financial fraud schemes, Bloomberg said.
Emergency requests can be made without a court order or subpoena. Emergency requests can be made in cases of “imminent” threats where someone’s life or safety may be in jeopardy.
The forged requests allegedly came in 2021 from real domains of law enforcement agencies in multiple countries, with an untold number of users affected. Snap Inc. and Discord were also targeted, though Snap didn’t confirm whether it turned over information in any forged request, Bloomberg said.
Minors in the US and UK are believed to be behind at least some of the requests, which were made up to look like they were from legitimate sources, at times even using signatures of real law enforcement officials, sources told Bloomberg.
Researchers think others involved include members of the hacker group Recursion Team and the person behind the group Lapsus$, which allegedly hacked Microsoft Corp. and others, according to the report.
Spokespeople from Apple and Meta didn’t immediately respond to emails from The Post on Thursday.
But Meta spokesman Andy Stone told Bloomberg that the company reviews every data request “for legal sufficiency” and validates the request to detect abuse.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Stone said in a statement.
Apple didn’t address the compromised data but referred Bloomberg to its policy that states the company may reach out to a government or law enforcement supervisor to confirm any request is legitimate.
Both companies outline the amount of emergency requests they receive and fulfill.
Apple’s website said the tech giant received 283 requests in the US and 1,162 worldwide between July and December 2020. Apple complied with 93 percent of the requests, its website says.
Meta’s website said the company received 211,000 requests from January to June 2021, and gave at least some information in almost 71 percent of requests.