In mid-2021, Apple and Meta, Facebook’s parent company, gave customer data to hackers pretending to be law enforcement officials. Snap Inc. also received a fraudulent request for information, but it isn’t known whether they provided the requested data. Messaging app Discord is also believed to have been targeted by the same hacking group.
According to a report from Bloomberg, the hackers gained access to information such as customer IP addresses, phone numbers, and home addresses by forging emergency data requests. Typically, law enforcement needs a search warrant or subpoena signed by a judge to gain access to get such information, however, these rules can be overlooked in an emergency situation.
How it happened
According to Bloomberg’s source, the hackers behind the incident made the fraudulent legal requests by using compromised email accounts of law enforcement agencies in multiple countries. Oftentimes, compromising these email accounts is as simple as purchasing password information from the dark web. Apparently, it’s quite common for law enforcement officials to request information about users from social media platforms in conjunction with criminal investigations. In the US, these requests are often signed by a judge, but when there’s imminent danger, this isn’t always necessary. The hackers took advantage of this fact.
The hackers forged the legal requests to look as legitimate as possible, including fake signatures of real and made-up law enforcement officials. Some sources suspect that the hackers used legitimate legal requests and used them as templates for creating genuine-looking forgeries. A Meta spokesperson said that they block compromised email accounts from making these requests, and have since blocked these particular accounts.
Who’s behind the breach?
Cybersecurity researchers suspect that some of the hackers involved in this fraud belong to a hacking group known as Recursion Team. Many members are thought to be minors living in the US and UK. Recursion Team is no longer active, but some members are thought to carry out cyberattacks on behalf of the group Lapsus$, which has targeted a slew of high-profile tech firms like Microsoft and Samsung. Seven people believed to be associated with Lapsus$ were recently arrested by City of London police.
How can this kind of fraud be prevented in future?
Because there is no centralized system for submitting these legal requests to social media companies and the fact that there are so many law enforcement agencies in jurisdictions around the world, all with place-specific laws on data collection, there is no one clear fix to the situation. Even the systems in place vary between companies, with some having special portals that law enforcement must log in to, while others accept email requests only, or in conjunction with a portal system. Requests like this are also incredibly frequent; Meta received 21,700 global emergency requests between January to June 2021, responding to 77% of them, while Apple got 1,162 emergency requests from 29 countries and responded to 93% of them. To protect user data, a centralized system and process would likely improve things.
On the law enforcement agency side of things, it seems like more care could be taken when it comes to password hygiene. To prevent accounts from being compromised because of password information that’s available on the dark web, make sure to change your passwords regularly. Make them impossible to guess by creating strong passwords with at least 12 characters and a mix of letters, numbers, and symbols. The easiest way to do this is by using a password generator and a password manager to keep track of various account passwords. And, of course, regularly hardening the backend to make sure everything is encrypted and secure as can be is vital.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.