Apple
Apple and Meta handed over data to hackers pretending to be police
Hackers got into law enforcement emails and requested user data use Emergency Data Requests (EDR).
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
Apple and Meta handed over confidential information on customers to hackers. Yes, handed over, as the hackers were masquerading as law enforcement officers at the time, Bloomberg reports.
This new report comes not 24 hours after KrebsOnSecurity reported that hackers, like LAPSUS$ who recently hacked Nvidia, Microsoft, and others, are pretending to be law enforcement for the purposes of data gathering.
First, they hack into an email account owned by law enforcement. Then they start using that account to ask for specific data, in accordance with existing legal pathways.
READ MORE: Google, Meta supplied fake cops with data used to exploit minors
The normal process for law enforcement officers is to get a warrant or subpoena for specific data. This requires a judge to sign off on.
The hackers circumvent this by using Emergency Data Requests (EDR), which don’t need warrants. Often the requests come with warnings of implicit threats of violence by the users.
The companies handed over user data to the hackers in 2021
It looks like both Apple and Meta complied with fraudulent EDRs in mid-2021. The user data handed over had home addresses, phone numbers, and IP addresses. The data was probably then used for financial fraud.
Snap Inc, Snapchat’s parent company, was also given falsified EDRs. But it’s not clear if they complied and sent user data to the hackers.
READ MORE: Hackers reportedly hacked the DEA
Cybersecurity researchers are reasonably sure that the hackers are the same underage hackers behind the LAPSUS$ group, which recently breached Nvidia, Microsoft, Samsung, and more.
The real issue here is that law enforcement is still using email to request customer data. There needs to be a way of digitally signing those requests so that impersonators can’t get access.
READ MORE: Hackers can use Bluetooth to unlock and steal some Teslas
The Digital Authenticity for Court Orders Act would require digital signing. But, it still needs to get passed.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.
Editors’ Recommendations:
- Apple says it will no longer repair stolen iPhones at Apple Stores
- Yandex, Russia’s Google, is secretly sending your data to Russia
- Hackers stole $34 million from Crypto.com
- Surprise! The CIA has a secret stash full of data on Americans