Apple and Meta Caught in Data Leak Mistake

messi62

Apple and Meta are two companies you'd least expect to be scammed. But this isn't the first time Big Tech has made headlines for the wrong reasons. This time, hackers posing as law enforcement officers obtained customer data from the two companies. The same group also targeted Snap Inc and popular messaging app Discord.

Bloomberg
reports
that the attackers tricked Apple and Meta into handing over information like customer addresses, phone numbers, and IP addresses by faking requests for urgent data. Typically, you would need a search warrant or a subpoena signed by a judge to obtain such sensitive data. However, emergency requests do not require a court order.

How Apple and Meta Let This Happen
The attackers used the oldest trick in the scammers’ repertoire – the classic phishing parody – to first hack into the email accounts of law enforcement agencies in several countries, then use professionally designed legal templates with forged signatures of real and fictitious law enforcement officials to pull off the scam, Bloomberg’s sources say.

If you're wondering whether this was a complex scheme that went far beyond what companies would expect, it wasn't. Rather, the hackers bought passwords on the dark web and spoofed the common practice of requesting information from social media platforms as part of a criminal investigation.

As expected, Apple and Meta representatives were quick to dismiss the incident.

“We review every data request to mobile app development service ensure it is legally valid and use industry-leading systems and processes to verify law enforcement requests and identify abuse. We block known compromised accounts from requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we did in this case,” Meta spokesman Andy Stone said in a statement.

Who was behind the attack?
All clues point to hackers known as the Recursion Group. Although the group is no longer active, some of its members, including minors in the UK and US, are believed to be carrying out cyber attacks on behalf of the infamous Lapsus$ group, which has targeted many well-known tech giants such as Samsung, Nvidia and Microsoft. UK police are hot on their heels and
have already arrested
seven people suspected of having links to the Laspus$ group.



How to prevent such fraud?
If you trace the chain of events that led to the attack, it all started with law enforcement and their questionable security hygiene. To prevent account takeover attacks, agencies should increase their employees’ cybersecurity awareness and establish strict password protocols across all departments.

A strong password is at least 12 characters long and combines uppercase and lowercase letters, numbers, and symbols. The most effective way to manage passwords for multiple accounts is to use a password generator service.

As for the victims themselves, it’s a little more difficult for companies like Apple and Meta to flag these schemes instantly without a centralized system for submitting such requests. With so many jurisdictions and law enforcement agencies around the world, keeping track of all the data collection laws related to criminal investigations is a challenge that has yet to be solved.