“Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests: Hackers Compromised the Emails of Law Enforcement Agencies; Data Was Used to Enable Harassment, May Aid Financial Fraud”, 2022-03-30 (; backlinks; similar):
Apple and Meta Platforms, the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to 3 people with knowledge of the matter.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests”. Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, such emergency requests don’t require a court order. Snap received a forged legal request from the same hackers, but it isn’t known if it provided data in response. It’s also not clear how many times the companies provided data in response to forged legal requests.
[Trusted third parties are security holes; under the third-party doctrine, Americans have no legal protection for their data, so there are essentially no barriers to the subpoena any of hundreds of thousands of law enforcement officers can write.]
…Law enforcement around the world routinely asks social media platforms for information about users as part of criminal investigations. In the U.S., such requests usually include a signed order from a judge. The emergency requests are intended to be used in cases of imminent danger and don’t require a judge to sign off on it.
Hackers affiliated with a cybercrime group known as “Recursion Team” are believed to be behind some of the forged legal requests, which were sent to companies throughout 2021, according to the 3 people who are involved in the investigation…The information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns, according to one of the people familiar with the inquiry. The 3 people said it may be primarily used to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to assist in attempting to bypass account security. The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021, according to 2 of the people. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries, according to the 3 people and an additional person investigating the matter. The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers, according to 2 of the people. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries, according to one of the people.
… Apple and Meta both publish data on their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests. Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.
…Compromising the email domains of law enforcement around the world is in some cases relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces.
“Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50”, said Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc.
Yoo said multiple law enforcement agencies were targeted last year as a result of previously unknown vulnerabilities in Microsoft Exchange email servers, “leading to further intrusions.”