Apple Inc. and Meta Platforms Inc., the parent company of Facebook, and Discord have turned over user data to hackers posing as law enforcement officials, says a new report in Bloomberg.
The companies apparently fell for an email scam and turned some user data to cybercriminals who used hacked domains belonging to multiple law enforcement agencies.
The cybercriminals made bogus “emergency requests” for certain users’ information, Bloomberg News said in its report on Wednesday, noting the requests allegedly came in 2021 from real domains of law enforcement agencies in multiple countries.
Bloomberg said that it was not uncommon for companies like Apple and Facebook to turn over data to law enforcement, adding, typically, these requests are accompanied by a court order, but there are “emergency” cases when law enforcement asks for data without one, like when someone’s life or safety may be in jeopardy.
In this case, the hacker took advantage of this tactic and gained access to users’ personal information.
While Facebook and Apple turned over “basic subscriber details, such as a customer’s address, phone number and IP address,” Discord provided “the Internet address history of Discord accounts tied to a specific phone number.”
The hackers also targeted Snap, though it is unclear whether the company actually turned over the requested data.
The hackers could use the data to unleash harassment campaigns or to attempt to launch financial fraud schemes, according to Bloomberg.
In a statement to Bloomberg, Meta spokesperson Andy Stone said that the company reviews every data request “for legal sufficiency” and validates the request to detect abuse.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Stone said.
Meanwhile, Discord, commenting on security, told Krebs, “We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor.”