Apple and Meta reportedly gave customer data over to hackers who claimed they were law enforcement officials, Bloomberg reported on Wednesday.
The companies provided customer details including addresses, phone numbers and IP addresses last year when responding to fake emergency data requests, three sources with knowledge of the matter told Bloomberg. Snap also reportedly received a forged information request, but it is unclear if the company responded. It’s not known how many times companies gave data in response to the requests.
In an email, Apple sent Protocol the same passage from its Law Enforcement Guidelines that it sent to Bloomberg, stating that if a law enforcement or government agent seeks an emergency data request, the company may contact their supervisor “confirm to Apple that the emergency request was legitimate.”
A Snap spokesperson said in an email that the company has safeguards built into its processes to spot fraudulent law enforcement requests, including from hacked accounts.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Andy Stone, a spokesperson for Meta, said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Members of a hacker group known as “Recursion Team” is behind the fake requests, according to Bloomberg. Though the group is reportedly no longer active, some members are still working under different names, including Lapsus$, which is responsible for the recent hacks of Nvidia, Okta and Samsung. Researchers also suspect that the fake requests came from minors located in the U.K. and the U.S., according to Bloomberg.
The information obtained was reportedly used for harassment campaigns, including financial fraud schemes. The forged requests reportedly began in early 2021, sent via hacked email addresses of several law enforcement agencies and made to look real.
It’s not uncommon for law enforcement to request information from social media companies for investigations. Those requests are typically signed by a judge in the U.S., but emergency data requests do not need judge sign-off as they’re used in cases of imminent danger.