Believing they were talking to law enforcement officials, Facebook and Apple shared information about their users with juvenile criminals.
Apple and Meta have provided hackers with various data about their users. The two companies thought they were providing the information to law enforcement agencies.
Tech companies typically only provide information about their users after a signed request from a judge. Sometimes law enforcement agencies can bypass this requirement with what is called an ‘ emergency data request ‘.
Hackers have used this very tool to ask for and obtain information about some users. The shared information package includes, among other things, the user’s telephone number, address and IP. In some cases, companies may also attach a copy of your correspondence, if the messaging service isn’t encrypted, as well as the identity of anyone you’ve spoken to in recent months.
The hackers managed to deceive the two companies by perfectly falsifying the documents normally used by the police force to solicit companies to share data. The same emails came from legitimate addresses of some public security agencies, evidently compromised by the hackers themselves.
Also according to the authorities, the hackers would have been able to figure out how to deceive companies precisely by obtaining and studying the emails sent in the past by the police to realities such as Facebook, Twitter and Apple. All they had to do was mimic the content of legitimate emergency data requests in their possession. In some cases, the requests also featured the forged signature of a real-life law enforcement officer, making it even more difficult to uncover the deception.
For a change , the police suspect that some minor criminals or little more than teenagers are behind the operation.
In addition to Meta and Apple, Discord also fell victim to the deception. According to the authorities, the information obtained in this way would have been used for various purposes: from financial fraud to harassment of individuals. The criminals allegedly tried to trick Snapchat as well, but to no avail.
The attack demonstrated all the limits of this system. Law enforcement agencies can obtain user information very easily and without a warrant. “There is no central, international system to handle this kind of reminders,” an insider explained to Bloomberg. “Every single law enforcement agency handles these kinds of requests differently.” Hence the confusion of large companies, which having to deal with dozens of requests from law enforcement agencies from all over the world, do not have the tools to effectively identify fraud attempts.