Apple, Meta tricked to share user data with hackers pretending to be law enforcement agencies

Apple and Meta were allegedly tricked by hackers in 2021 to share user data such as phone numbers, IP addresses, and home addresses, reported Bloomberg. The hackers approached the two tech companies using forged emergency data requests that typically come from law enforcement agencies. Snap, the parent company of Snapchat, was also approached by hackers with a similar request, however, it’s known whether they complied with it.  

Social media regulations in various countries including India allow law enforcement agencies to seek information from social media companies for criminal investigation. For instance, the IT (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 require intermediaries to assist authorised agencies for investigative purposes within 72 hours of receiving the order. 

In the US, Electronic Communications Privacy Act (ECPA) allows law enforcement agencies to seek information without a search warrant in case of an emergency involving imminent danger of death or serious physical injury to any person. 

Though brand impersonation is a common tactic employed by hackers to target users, using names of law enforcement agencies to harvest user data is a new trick in the book of cybercriminals that is turning out to be quite effective. All a hacker needs is illicit access to an email account related to a law enforcement agency to make their emergency requests look authentic.  

Cybersecurity experts believe that members of the Lapsus$ hacker group that was behind the recent spree of cyber-attacks on Nvidia, Samsung, and Okta, were also involved in the impersonation of law enforcement agencies. According to an investigation by Palo Alto Networks, before starting the Lapsus$ group, the hackers specialised in SIM swapping and swatting attacks in which they targeted law enforcement agencies with a fake bomb threat or hostage situation and tricked them into visiting malicious websites. 

The founder of Lapsus$, who is believed to be a teenager from the UK, had allegedly tried to sell email credentials of government agencies for $100-250 on a cybercrime forum called Cracked.to in 2021. The sale post said that the credentials could be used to subpoena user data from companies such as Apple and Snapchat. 

Apple and Meta have not released any public statement on how much data was shared with the hackers and how many users’ privacy was compromised because of their mistake.