Apple and Meta turned user data over to hackers faking emergency data request orders, usually sent by law enforcement agencies as per a report by Bloomberg. The mistake happened in mid-2021 and both companies leaked information including IP addresses, phone numbers and phone addresses.
While generally, such data requests would require a search warrant signed by a judge or a subpoena, emergency data requests are exempt from such requirements intended for cases involving life-threatening situations. According to a report from Krebs on Security, these fake emergency data requests are becoming increasingly popular.
The attackers first gain access to a police department’s email system and then forge an emergency data request describing the potential danger of not sending the data right away, pressurising companies to give out data that would otherwise be safe.
In the News: Lapsus$ strikes again; leaks 70GB data of Globant
Hackers after subpoenas
The attacks seem to have been carried out by a group called the Infinity Recursion hacking team. Though the group isn’t active anymore, several members have joined Lapsus$ under different names.
Bloomberg reports that officials involved in the investigation reported such attacks on law enforcement agencies in multiple countries with a number of companies targetted for several months starting January 2021.
Apple and Meta aren’t the only companies to be impacted by such attacks either. Discord also complied with one such fake request and Snap was also sent one, though it’s unclear whether or not the company followed through on the request.
According to Brian Krebs, some hackers are selling compromised government emails online specifically for this very purpose. A majority of attackers launching these types of attacks are allegedly teenagers, with the Bloomberg report stating that cybersecurity researchers believe that Lapsus$’s teen mastermind might be involved in these types of scams as well.