Apple and Meta handed over confidential information on customers to hackers. Yes, handed over, as the hackers were masquerading as law enforcement officers at the time, Bloomberg reports.
This new report comes not 24 hours after KrebsOnSecurity reported that hackers, like LAPSUS$ who recently hacked Nvidia, Microsoft, and others, are pretending to be law enforcement for the purposes of data gathering.
First, they hack into an email account owned by law enforcement. Then they start using that account to ask for specific data, in accordance with existing legal pathways.
The normal process for law enforcement officers is to get a warrant or subpoena for specific data. This requires a judge to sign off on.
The hackers circumvent this by using Emergency Data Requests (EDR), which don’t need warrants. Often the requests come with warnings of implicit threats of violence by the users.
The companies handed over user data to the hackers in 2021
It looks like both Apple and Meta complied with fraudulent EDRs in mid-2021. The user data handed over had home addresses, phone numbers, and IP addresses. The data was probably then used for financial fraud.
Snap Inc, Snapchat’s parent company, was also given falsified EDRs. But it’s not clear if they complied and sent user data to the hackers.
Cybersecurity researchers are reasonably sure that the hackers are the same underage hackers behind the LAPSUS$ group, which recently breached Nvidia, Microsoft, Samsung, and more.
The real issue here is that law enforcement is still using email to request customer data. There needs to be a way of digitally signing those requests so that impersonators can’t get access.
The Digital Authenticity for Court Orders Act would require digital signing. But, it still needs to get passed.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.