Apple and Meta unknowingly gave hackers customer data, sources say

The latest headlines from our reporters across the US sent straight to your inbox each weekday

Your briefing on the latest headlines from across the US

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Apple and Meta, the parent company of Facebook, gave customer data to hackers who posed as law enforcement officials, according to sources close to the issue.

The claims were first reported by Bloomberg.

The tech giants reportedly provided basic subscriber details, including customers' addresses, phone numbers and IP addresses in mid-2021. They provided the details in response to an "emergency data request" that had been forged.

Those requests are normally only provided when a search warrant or subpoena are signed by a judge, according to the sources. The emergency requests reportedly do not require a court order.

According to cybersecurity researchers, some of the hackers who obtained the information may be minors in the UK and the US. One of those hackers is believed to be the head of a cybercrime group called Lapsus$, which previously hacked Microsoft, Samsung and Nvidia, among others.

Seven hackers connected with an investigation into the group have been arrested by the London police, and the investigation is still underway.

Bloomberg reached out to Apple for comment, and the company directed the reporters to its corporate law enforcement guidelines.

According to the company's guidelines, Apple may contact the supervisor of any law enforcement agency that files an emergency request to determine if the request is legitimate.

Meta provided the following statement to Bloomberg reporters.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone told the outlet. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Meta's guidelines state that when requested it may provide user data to law enforcement agencies if they have a "good faith reason" to think the request involves a matter of "imminent risk."

“In emergencies, law enforcement may submit requests without legal process,” Meta's guidelines state. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

According to Krebs on Security, the hackers had forged an emergency data request from Discord, a social media platform used primarily by gamers and other niche communities.

Discord provided a statement to the outlet.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in the statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”