Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security Social Networks Apple Slashdot.org

Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests 32

According to Bloomberg, Apple and Meta "provided customer data to hackers who masqueraded as law enforcement officials." Bloomberg's William Turton reports: Apple and Meta provided basic subscriber details, such as a customer's address, phone number and IP address, in mid-2021 in response to the forged "emergency data requests." Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don't require a court order. Snap Inc. received a forged legal request from the same hackers, but it isn't known whether the company provided data in response. It's also not clear how many times the companies provided data prompted by forged legal requests.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. [...] The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries. The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries.
Further reading: Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests'
This discussion has been archived. No new comments can be posted.

Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests

Comments Filter:
  • Are you a hacker if you ask nicely for access and they give it to you?
    This must like one of those life hacks.
    • Comment removed based on user account deletion
      • by dgatwood ( 11270 )

        Yes, it's called "human factors" hacking, and its probably the most effective method ever for getting access where you shouldn't have it. Ask Cap'n Crunch or Dave Mitnik about it. Most of their best stuff consisted of telling someone (like the night switch technician at an ATT NOC) why they need in/need to know now or they're going to get fired in the morning. Funny how folks will forget everything they were taught about rules and security just to help a stranger in need.

        That's a terrible term. It's social engineering, not any sort of hacking. Hacking means being an advanced computer enthusiast. I grudgingly allow its misuse to refer to a cracker, which means someone who breaks into computer systems. But this is stretching the term way too far. This is just conning someone over the Internet and tricking them into giving you somebody else's data. That's pure social engineering, with no actual access to accounts or computer systems. Calling that "hacking" is grossly mi

    • by gweihir ( 88907 )

      Called "social engineering" and just as bad. Harder to prosecute though. For example in Germany, they needed a new law to make hacking ATMs illegal. After all, it asked nicely for you to take the money it just provided, so no coercion or pressure was in place and hence it could not be theft or robbery.

  • Pretty sure I was called paranoid and delusional too.

    • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        And that is the problem. The _average_ person is already quite stupid and basically does understand nothing. Then you have that around 50% are below average...

    • by gweihir ( 88907 )

      You and me both. Basically anybody with common sense saw that one coming. Unfortunately, common sense is anything but common. I recently read that only around 20% of all people are even reachable by rational arguments, which means the ones that can actively use common sense and reach rational conclusions by themselves are even fewer.

  • This story is essentially a straight-up dupe of the one from the other day [slashdot.org], and the editor even linked to it. I kinda feel like they're just screwing with the /. readership at this point. Moderation is inexplicably broken, and they're like "let them eat dupes."

    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      This is called a "follow up" and it is commonly done when more relevant information comes to light that is deemed important enough. The link to the older story is a dead giveaway that it is _not_ a dupe.

  • You deserve what you get
    • I'd apply that equally to the police.

      • Comment removed based on user account deletion
        • Starting salaries just shy of six figures before overtime and over half a million plus benefits if they work overtime game the system with their sick days isn't enough? Just WTF do YOU think they should be paid? In my book, they're seriously OVERpaid considering the paltry qualifications, insufficient training, and routine dereliction of duty and not-uncommon active malfeasance.

      • Your username is so apropos. You are indeed a TOOL.
    • by gweihir ( 88907 )

      You deserve what you get

      This is more a problem with the police and the laws that are in place. But if you trust them, you are even more stupid than if you trust Apple or Alphabet. Apple and Alphabet at least see you as a customer and so attribute some minimal value to your person, after all...

  • If you mandate a cryptographic backdoor, you can bet hackers will get hold of the key.

    Turns out it works for legal backdoors too.

    • by gweihir ( 88907 )

      If you mandate a cryptographic backdoor, you can bet hackers will get hold of the key.

      Turns out it works for legal backdoors too.

      Indeed, it does. This can serve as an excellent reminder how "secure" your data or backdoor-keys would be with the "authorities"...

  • > The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries.

    So they are in some ways genuine requests, at least they are genuinely from the police IT system. The real breach seems to be the police, and maybe we need to put a bit more security in place.

  • Why would you need to hack email "domains"? (I assume that means "email servers" or "email accounts"...) You can just forge the sender in email, simple to do.

    Or is this because the answer also goes via email? In that case you _could_ try to register a domain that sounds like it is the one of a police department, but hacking the email server or some accounts of a real one is probably cheaper, faster and safer.

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Working...