Apple, Facebook and Discord turned over user data to hackers posing as law enforcement officials, according to a new report in Bloomberg. The demands, which were forged to look like authentic legal requests, reportedly came from legitimate email accounts that had been “compromised.”
According to Bloomberg, both Facebook and Apple turned over “basic subscriber details, such as a customer’s address, phone number and IP address.” Discord provided “the Internet address history of Discord accounts tied to a specific phone number,” according to Krebs on Security. The hackers also targeted Snap, though it’s not clear if the company actually turned over the requested data.
As Bloomberg points out, it’s not uncommon for companies like Apple and Facebook to turn over data to law enforcement, and these companies have dedicated teams to respond to such requests. Typically, these requests are accompanied by a court order, but there are “emergency” cases when law enforcement asks for data without one, like when someone’s life is believed to be in danger.
In this case, the hackers exploited this tactic in order to access personal information about specific targets in order to “facilitate financial fraud schemes.” Using hacked emails tied to legitimate law enforcement personnel, they were able to successfully fool the companies into handing over the data.
In a statement to Bloomberg, Meta spokesperson Andy Stone said that the company has safeguards in place to verify legal requests and detect abuse. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Stone said.
Apple and Snap also pointed to company guidelines, saying they have policies to verify the legitimacy of requests for user data. But these safeguards can fall short if the requests appear to be from emails associated with legitimate law enforcement agencies. As Discord told Krebson Security:
“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
Interestingly, security researchers have reportedly tied some of the people involved in this scheme to another high-profile hacking group: Lapsus$, whose members allegedly hacked Microsoft and Okta. According to Bloomberg, one person involved with forging the requests is also “believed to be the mastermind behind the cybercrime group Lapsus$.”