TIMES.KY

Cayman Islands, Caribbeanand International News
Tuesday, Apr 23, 2024

Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests

Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests

Hackers compromised the emails of law enforcement agencies Data was used to enable harassment, may aid financial fraud
Apple. and Meta, the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.

Apple and Meta provided subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Snap Inc. received a forged legal request from the same hackers, but it isn’t known whether the company provided data in response. It’s also not clear how many times the companies provided data prompted by forged legal requests.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co. and Nvidia Corp., among others, the people said. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group; the probe is ongoing.

An Apple representative referred Bloomberg News to a section of its law enforcement guidelines.

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Snap had no immediate comment on the case, but a spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement.

Law enforcement around the world routinely asks social media platforms for information about users as part of criminal investigations. In the U.S., such requests usually include a signed order from a judge. The emergency requests are intended to be used in cases of imminent danger and don’t require a judge to sign off on it.

Hackers affiliated with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests, which were sent to companies throughout 2021, according to the three people who are involved in the investigation.

Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$, the people said.

The information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns, according to one of the people familiar with the inquiry. The three people said it may be primarily used to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to assist in attempting to bypass account security.

Bloomberg is omitting some specific details of the events in order to protect the identities of those targeted.

The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021, according to two of the people. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries, according to the three people and an additional person investigating the matter.

The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers, according to two of the people. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries, according to one of the people.

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”

On Tuesday, Krebs on Security reported that hackers had forged an emergency data request to obtain information from the social media platform Discord. In a statement to Bloomberg, Discord confirmed that it had also fulfilled a forged legal request.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in a statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

Apple and Meta both publish data on their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests.

Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.

“In emergencies, law enforcement may submit requests without legal process,” Meta states on its website. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

The systems for requesting data from companies is a patchwork of different email addresses and company portals. Fulfilling the legal requests can be complicated because there are tens of thousands of different law enforcement agencies, from small police departments to federal agencies, around the world. Different jurisdictions have varying laws concerning the request and release of user data.

“There’s no one system or centralized system for submitting these things,” said Jared Der-Yeghiayan, a director at cybersecurity firm Recorded Future Inc. and former cyber program lead at the Department of Homeland Security. “Every single agency handles them differently.”

Companies such as Meta and Snap operate their own portals for law enforcement to send legal requests, but still accept requests by email and monitor requests 24 hours a day, Der-Yeghiayan said.

Apple accepts legal requests for user data at an apple.com email address, “provided it is transmitted from the official email address of the requesting agency,” according to Apple’s legal guidelines.

Compromising the email domains of law enforcement around the world is in some cases relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces.

“Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50,” said Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc.

Yoo said multiple law enforcement agencies were targeted last year as a result of previously unknown vulnerabilities in Microsoft Exchange email servers, “leading to further intrusions.”

A potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult to find, said Nixon, of Unit 221B.

“The situation is very complex,” she said. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”
Newsletter

Related Articles

TIMES.KY
0:00
0:00
Close
Paper straws found to contain long-lasting and potentially toxic chemicals - study
FTX's Bankman-Fried headed for jail after judge revokes bail
Blackrock gets half a trillion dollar deal to rebuild Ukraine
Israel: Unprecedented Civil Disobedience Looms as IDF Reservists Protest Judiciary Reform
America's First New Nuclear Reactor in Nearly Seven Years Begins Operations
Southeast Asia moves closer to economic unity with new regional payments system
Today Hunter Biden’s best friend and business associate, Devon Archer, testified that Joe Biden met in Georgetown with Russian Moscow Mayor's Wife Yelena Baturina who later paid Hunter Biden $3.5 million in so called “consulting fees”
Singapore Carries Out First Execution of a Woman in Two Decades Amid Capital Punishment Debate
Google testing journalism AI. We are doing it already 2 years, and without Google biased propoganda and manipulated censorship
Unlike illegal imigrants coming by boats - US Citizens Will Need Visa To Travel To Europe in 2024
Musk announces Twitter name and logo change to X.com
The politician and the journalist lost control and started fighting on live broadcast.
The future of sports
Unveiling the Black Hole: The Mysterious Fate of EU's Aid to Ukraine
Farewell to a Music Titan: Tony Bennett, Renowned Jazz and Pop Vocalist, Passes Away at 96
Alarming Behavior Among Florida's Sharks Raises Concerns Over Possible Cocaine Exposure
Transgender Exclusion in Miss Italy Stirs Controversy Amidst Changing Global Beauty Pageant Landscape
Joe Biden admitted, in his own words, that he delivered what he promised in exchange for the $10 million bribe he received from the Ukraine Oil Company.
TikTok Takes On Spotify And Apple, Launches Own Music Service
Global Trend: Using Anti-Fake News Laws as Censorship Tools - A Deep Dive into Tunisia's Scenario
Arresting Putin During South African Visit Would Equate to War Declaration, Asserts President Ramaphosa
Hacktivist Collective Anonymous Launches 'Project Disclosure' to Unearth Information on UFOs and ETIs
Typo sends millions of US military emails to Russian ally Mali
Server Arrested For Theft After Refusing To Pay A Table's $100 Restaurant Bill When They Dined & Dashed
The Changing Face of Europe: How Mass Migration is Reshaping the Political Landscape
China Urges EU to Clarify Strategic Partnership Amid Trade Tensions
Europe is boiling: Extreme Weather Conditions Prevail Across the Continent
The Last Pour: Anchor Brewing, America's Pioneer Craft Brewer, Closes After 127 Years
Democracy not: EU's Digital Commissioner Considers Shutting Down Social Media Platforms Amid Social Unrest
Sarah Silverman and Renowned Authors Lodge Copyright Infringement Case Against OpenAI and Meta
Italian Court's Controversial Ruling on Sexual Harassment Ignites Uproar
Why Do Tech Executives Support Kennedy Jr.?
The New York Times Announces Closure of its Sports Section in Favor of The Athletic
BBC Anchor Huw Edwards Hospitalized Amid Child Sex Abuse Allegations, Family Confirms
Florida Attorney General requests Meta CEO's testimony on company's platforms' alleged facilitation of illicit activities
The Distorted Mirror of actual approval ratings: Examining the True Threat to Democracy Beyond the Persona of Putin
40,000 child slaves in Congo are forced to work in cobalt mines so we can drive electric cars.
BBC Personalities Rebuke Accusations Amidst Scandal Involving Teen Exploitation
A Swift Disappointment: Why Is Taylor Swift Bypassing Canada on Her Global Tour?
Historic Moment: Edgars Rinkevics, EU's First Openly Gay Head of State, Takes Office as Latvia's President
Bye bye democracy, human rights, freedom: French Cops Can Now Secretly Activate Phone Cameras, Microphones And GPS To Spy On Citizens
The Poor Man With Money, Mark Zuckerberg, Unveils Twitter Replica with Heavy-Handed Censorship: A New Low in Innovation?
Unilever Plummets in a $2.5 Billion Free Fall, to begin with: A Reckoning for Misuse of Corporate Power Against National Interest
Beyond the Blame Game: The Need for Nuanced Perspectives on America's Complex Reality
Twitter Targets Meta: A Tangle of Trade Secrets and Copycat Culture
The Double-Edged Sword of AI: AI is linked to layoffs in industry that created it
US Sanctions on China's Chip Industry Backfire, Prompting Self-Inflicted Blowback
Meta Copy Twitter with New App, Threads
The New French Revolution
BlackRock Bitcoin ETF Application Refiled, Naming Coinbase as ‘Surveillance-Sharing’ Partner
×