Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Apple and Meta unknowingly gave hackers customer data, sources say

The tech giants reportedly provided basic subscriber details, including customers’ addresses, phone numbers and IP addresses

Graig Graziosi
Wednesday 30 March 2022 16:58 EDT
Comments
Related video: Hackers gain access to sensitive US military data

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Apple and Meta, the parent company of Facebook, gave customer data to hackers who posed as law enforcement officials, according to sources close to the issue.

The claims were first reported by Bloomberg.

The tech giants reportedly provided basic subscriber details, including customers' addresses, phone numbers and IP addresses in mid-2021. They provided the details in response to an "emergency data request" that had been forged.

Those requests are normally only provided when a search warrant or subpoena are signed by a judge, according to the sources. The emergency requests reportedly do not require a court order.

According to cybersecurity researchers, some of the hackers who obtained the information may be minors in the UK and the US. One of those hackers is believed to be the head of a cybercrime group called Lapsus$, which previously hacked Microsoft, Samsung and Nvidia, among others.

Seven hackers connected with an investigation into the group have been arrested by the London police, and the investigation is still underway.

Bloomberg reached out to Apple for comment, and the company directed the reporters to its corporate law enforcement guidelines.

According to the company's guidelines, Apple may contact the supervisor of any law enforcement agency that files an emergency request to determine if the request is legitimate.

Meta provided the following statement to Bloomberg reporters.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone told the outlet. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Meta's guidelines state that when requested it may provide user data to law enforcement agencies if they have a "good faith reason" to think the request involves a matter of "imminent risk."

“In emergencies, law enforcement may submit requests without legal process,” Meta's guidelines state. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

According to Krebs on Security, the hackers had forged an emergency data request from Discord, a social media platform used primarily by gamers and other niche communities.

Discord provided a statement to the outlet.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in the statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in