Last year, cybercriminals used phony law enforcement subpoenas to steal an unknown amount of user data from Apple and Meta. The data requests were submitted to the tech companies using hacked police email accounts, and thus appeared to be legitimate government requests.
Bloomberg reports that, in mid-2021, the two tech giants were fooled into handing over an unknown amount of “basic subscriber details” — including users’ home addresses, IP addresses, and telephone numbers. Snap Inc., the company that owns Snapchat, also received at least one similar request, but hasn’t said whether data was turned over as a result or not.
Exactly how many phony requests were directed to Apple and Meta and how much data was turned over is unclear at this point. We reached out to both companies for comment and will update this story if they respond.
In a statement provided to Bloomberg, Meta spokesman Andy Stone apparently told the outlet: “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.” He added: “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
A Snap representative, meanwhile, couldn’t confirm or deny whether data had been turned over, but told Gizmodo that Snap had “safeguards” designed to “spot fraudulent law enforcement requests, including from hacked accounts.”
On Tuesday, cybersecurity blogger Brian Krebs broke the news about this weird new cybercrime trend — which sees hackers using compromised police email systems to submit fraudulent “emergency” data requests to tech companies. Such requests, known as EDRs, are used by police in time-sensitive, life or death situations, and do not require a court order. Thus, unlike other subpoenas, EDRs don’t involve extensive internal reviews and companies are more willing to turn over data quickly if the request comes from a reputable law enforcement agency. Unfortunately, police email login credentials can be purchased with relative ease on the dark web — making this practice not a huge stretch for the trained cybercriminal.
In his blog, Krebs provides at least one specific instance of this happening, during which hackers successfully convinced chat platform Discord to turn over subscriber data on an 18-year-old user from Indiana. Discord confirmed to Gizmodo that it had mistakenly provided data to a “malicious actor” using a cop’s compromised email account.
A hacker source also told Krebs that cybercriminals will often use the stolen data to commit “stalking, hacking, harassing and publicly humiliating” campaigns against their victims.