Hackers have gotten one over on Big Tech. Bloomberg, citing people close to the situation, reported that scammers allegedly tricked Apple and Meta into revealing user information through fake legal requests. The tech giants shared personal details with the hackers, including their users’ addresses, phone numbers, and I.P. addresses.
The data breach happened last year in response to what turned out to be falsified “emergency data requests.” A search warrant or a subpoena typically accompanies urgent requests, but those restrictions are lifted in the face of what appears to be emergencies.
In addition to the iPhone maker and Facebook parent company, scammers targeted Snap Inc. with an emergency data request, though it is unclear if they duped the messaging app.
The suspected hackers, who are said to be located in the United States and the UK, are thought to be teens, but they are not novices.
At least one of these bad actors could have ties to the infamous hacking groups Lapsus$ or Recursion Team, which have similar methods of operation. South America-based Lapsus$ has previously targeted tech giants including Microsoft, Samsung, and Nvidia.
The question on everyone’s minds is how hackers could infiltrate the systems of major technology companies like Apple, with a market cap of $2.8 trillion, and Meta, whose market value is over $612 billion.
Wendi Whitmore, SVP of Palo Alto Networks division Unit 42, explained to Bloomberg the concerns that have resulted from the incident.
She said the division worries about the hackers’ familiarity with these companies’ weak spots and their knowledge of U.S. law enforcement procedures for requesting data on-demand from tech and social media platforms.
The hackers seem unconcerned about repercussions, which speaks to their confidence in accessing vulnerabilities despite the minors seemingly having no organization backing them.
Now that they have the sensitive user information, Whitmore said it could end up in the hands of stalkers, including those both cyber and physical. Still, law enforcement will work with Meta and Apple to prevent that.
The Unit 42 team has spotted more than 2,500 instances of security breaches in the last year.
The criminals purchase data on the cheap and then harness that information to test out which organizations they can infiltrate, such as law enforcement. They then place “time demands” on the victims to pressure them into submitting to the requests.
In the case of Meta and Apple, the hackers began their work in early 2021. They forged legal requests for data, signing them with the names of the relevant individuals from law enforcement in various countries and sending them to the companies via fake email addresses. The urgent nature of the requests forced the hands of Meta and Apple to respond.
According to Bloomberg, hackers are exploiting a weak spot in the economy, as over half a million jobs in the cybersecurity industry are currently unfilled. The Russia-Ukraine war has exacerbated the situation as companies devote resources toward complying with recommendations and attempting to thwart cyberattacks.
Cyber experts warn that if major tech companies can fall for the fake demands, no business is immune, regardless of its size.