In mid-2021, hackers managed to steal user data from Apple and Meta with a simple social engineering trick. Instead of trying to access the heavily guarded servers of both companies, they posed as security forces, taking advantage of the emergency data request system used during a real investigation.
According to Bloomberg sources, the trick worked. Apple and Meta voluntarily provided the attackers with names, addresses, and IP numbers of various users after receiving these requests. Snap, the company behind Snapchat, also received one of these false requests, but it has not been confirmed that it fell for it.
 |
| Ray 7.7 The Electric Scooter |
The event has triggered alarms in the cybersecurity community. Apple, Meta, Google and the rest of the technology companies provide information to the security forces and governments of different countries when they receive an official order. In most countries these orders have to be signed by a judge.
But companies also have mechanisms to request information in emergencies, when there is a situation of imminent danger for a victim. The type of data that is possible to request in these cases is limited, but the attack demonstrates that Apple or Meta do not apply all the precautions that they should in these cases.
Do You Know What We Have Posted on
twitter facebook instagram reddit tumblr
Apple, for example, explains in its guide to law enforcement agencies that the company "can contact and ask the agent to confirm that the emergency request is legitimate," but does not indicate that it is an established process for all requests. Meta ensures that the requests are verified to prevent cases of abuse, but, like Apple, this case proves that those filters it applies are not entirely effective.
The group behind the attack could be the one known as "Recursion Team", a team of hackers with members who are also linked to Lapsus$, a group of hackers that in recent months has attacked high-profile technology companies such as Microsoft or Nvidia. The personal information obtained could have been used in cases of harassment or in attempts to recover passwords or identity theft.
0 Comments