Apple and Meta handed over sensitive data straight to hackers

The Meta logo on a smartphone in front of the Facebook logo a little bit blurred in the background
(Image credit: Shutterstock / rafapress)

Some of the victims of a new scam where threat actors impersonated police to steal sensitive data from tech companies' endpoints have been revealed, and they're big news.

A Bloomberg report claims that both Meta (Facebook’s parent company) and Apple fell for the trick, with the two companies reportedly sharing user IP addresses, phone numbers, and home addresses with the fraudsters.

Besides Meta and Apple, a number of other major tech companies have reportedly been targeted, including Snap and Discord, although it’s unclear whether or not these companies fell for the scam. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Snap and Discord targeted

Commenting on the news, Meta’s policy and communications director, Andy Stone, told The Verge that the company reviews every data request for legal sufficiency and uses “advanced systems and processes” to validate law enforcement requests and detect abuse.

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” he said in a statement.

“This tactic poses a significant threat across the tech industry,” Peter Day, Discord’s group manager for corporate communications said. “We are continuously investing in our Trust & Safety capabilities to address emerging issues like this one.”

In the original report from KrebsOnSecurity, it was said that a group of threat actors, possibly the same people that later formed Lapsus$, managed to compromise email accounts from law enforcement agencies, most likely via phishing or viruses.

They then used those emails to reach out to large companies with an EDR - Emergency Data Request. Law enforcement agencies reach out to companies all the time, with the request to provide data on users and customers. These requests, however, need to be in compliance with certain regulations and usually take a little time to be processed.

EDRs, however, bypass all of that, as they’re used in a matter of life and death (or serious injury). By playing the EDR card, threat actors force businesses to either risk someone’s life by taking their time to confirm the sender’s identity, or risk leaking data, by hurrying to share it without double-checking who the sender is. 

Via: The Verge

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Composite image of digital eye and British flag
Apple could soon be forced to give away all your encrypted data to the UK government
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Illustration of a thief escaping with a white fingerprint
5 massive privacy scandals that rocked the world – and made millions of victims
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Phishing
Hackers are abusing Zendesk to run brand impersonation scams
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments