Apple and Meta reportedly fooled into giving user data to hackers — here's how

Apple Event Mar 8, 2022
Apple (Image credit: Apple)

Hackers masquerading as law enforcement officials allegedly hoodwinked Apple and Meta, goading the two tech giants to surrender user data. Citing "three people close to the matter," a Wednesday Bloomberg News report revealed the malicious actors used forged legal documents to bamboozle Apple and Meta.

According to Bloomberg, Apple and Meta surrendered "basic subscriber details," including customers' phone numbers and IP addresses. 

How the hackers allegedly fooled Apple and Meta

In mid-2021, hackers reportedly used forged Emergency Data Requests (EDRs) to obtain Apple and Meta's user data. Typically, requests for user data require a search warrant or a judge-signed subpoena, however, EDRs don't require court-ordered documents. As such, malicious hackers can bypass hawk-eyed vetting and gain access to ill-gotten data.

Cybersecurity journalist Brian Krebs called this hacking method "terrifying," but "highly effective."

"It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can't wait for a court order because it relates to an urgent matter of life and death," Krebs said in a recent blog post.


Hacker (Image credit: Getty)

Just as Krebs described it, Bloomberg revealed the hackers likely breached law enforcement email systems, stole templates for legitimate legal requests, forged signatures, and used them to deceive Apple and Meta. 

According to the three people cited in the Bloomberg report, a cybercriminal group called "Recursion Team" is allegedly behind the mid-2021 hack. Some cybersecurity experts believe that some of the malicious actors are also a part of Lapsus$, the cybercrime group that breached Samsung, Nvidia, Microsoft and other companies.

"Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$," Bloomberg said.

You may be wondering, "What is 'Recursion Team' doing with the data they obtained with Apple and Meta?" Well, the hackers allegedly used the ill-gotten information to carry out harassment campaigns and financial fraud.

The question is, how do we mitigate this issue? Security specialist Nicholas Weaver told Krebs that the only way to combat counterfeit EDRs is to have the FBI serve as the sole identity provider for all state and local enforcement, but even that has drawbacks.

"How does the FBI vet in real-time that some request is really from some podunk police department?" Weave pondered.

If the FBI isn't up for the task, we hope Apple and Meta come up with stricter security protocols to handle incoming law enforcement requests. It won't be easy, but the consumers' trust depends on it.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!