Apple, Meta gave info to hackers who forged legal request
At some point last year, both Apple and Meta handed over customer information to hackers who impersonated law enforcement to make emergency requests, Bloomberg reported Thursday.
Why it matters: The incidents display yet another way that hackers have managed to get their hands on customer information, in addition to breaking into systems or luring workers to reveal their credentials.
Details: According to Bloomberg, both companies provided certain customer information, including address, phone number and IP addresses, some time in mid-2021 in response to the spoofed requests.
- Snap was also presented with a similar spoofed request but it is unclear if that company handed over information, Bloomberg also reported.
Between the lines: Most large tech companies, including Meta and Apple, generally require some type of legal order before handing over customer information.
- However, the companies also have a means by which they will provide some information in emergency situations, typically where lives are at stake.
What they're saying: In statements to Axios, both Apple and Meta pointed to their respective policies for handling emergency requests, but declined further comment.
Be smart: In both cases, though, company policies outline the steps that the companies take to verify the authenticity of such emergency requests, including contacting the law enforcement agency in question.
- Apple's policy states that a supervisor may be contacted, but also notes that the agent submitting the request should provide their supervisor's contact information.
- Presumably, that information could also be convincingly spoofed as well. In any case, something clearly went awry in these incidents.
What's next: Expect both companies to institute new procedures to ensure that emergency requests can't easily be spoofed in the future.