Apple and Meta tricked by hackers: they shared users’ personal data

Apple And A half spontaneously (and unknowingly) communicated personal data of users to hackers that have falsified data request orders for emergency situations, usually sent by law enforcement. This was reported by a recent Bloomberg report. The facts date back to mid-2021: the two technological giants would have fallen into the trap, after considering the requests received as authentic. User data shared with attackers includes IP addresses, phone numbers And the residential addresses.

It should be noted that these specific requests for data by law enforcement agencies can be sent to know the data of certain accounts when there is an imminent danger of serious harm to people. In these cases the normal information request procedure, which requires a deed or search warrant signed by the judge, is waived due to the need to provide the data immediately. Hackers used this circumstance to obtain them without a great deal of energy.


To shed light on a computer crime that is taking place are the researchers of Krebs on Security: the scheme of the attack foresees a preliminary access by hackers to the e-mail systems of a police departmentthen the next sending the false request for information, pretending to be law enforcement officers. To simplify the work intervenes a documented trade of e-mail of government entities that may be bought by hackers on the dark web – in this way almost anyone can send the false request for information, not just those who hack the IT systems of these entities themselves.

The attacks last year, according to the reconstruction of the facts of Bloombergwould have been orchestrated by a hacker group called Recursion Team; the group then broke up and some members joined the Lapsus $ collective – which has been talked about a lot in recent times due to the numerous cyber attacks against major companies (see the latest attack against Microsoft). The group’s actions targeted law enforcement accounts in numerous Countries (but a detailed list is not provided) to send false data requests to many companies. In addition to Apple and Meta, Discord and Snap would also have been contacted (in the latter case it is not clear whether the company has communicated the requested data or not).

Applecontacted by colleagues from The Verge on the story, she limited herself to specifying that when he receives a request for emergency information he can contact the agent or the government manager who sent it, to carry out the appropriate checks on the legitimacy of the request – evidently in the specific case the controls have not been able to unmask the hackers. A half instead declares: We review each data request for legality and use advanced systems and processes to validate law enforcement requests and detect abuse. In this case, the measures to avoid abuse were not adequate.

Leave a Comment