Apple and Meta gave user data to hackers who posed as fake police

Apple and Meta did what?

So exactly what happened?

• Apple and Meta employees handed over an undisclosed amount of user data to hackers posing as police.
• Hackers broke into police email accounts and sent Apple and Meta fraudulent emergency data requests (EDRs).
• They handed over names, phone numbers, and IP addresses, which could be used to steal the user’s card details and hack their Apple Pay.
• Apple and Meta both have systems in place to validate requests from police, but it could be difficult for tech companies to verify EDRs that require severe urgency.

What is an EDR?

The police can ask certain companies for an emergency data request, or EDR, when someone is potentially in immediate danger. EDRs don’t require a judge’s signature and are likely to be used for severe cases.

EDRs have long been criticized as a data-privacy loophole ripe for abuse by law enforcement. But this is the first time we’ve heard of hackers using the EDR loophole to steal people’s data.

Alleged Lapsus$ teens arrested

On Friday, April 1, 2022, UK police announced that two teens were charged with hacking crimes that might be linked to the Apple and Meta hack. Seven others aged between seventeen and twenty-one are under investigation for similar crimes that might be linked to the notorious hacker gang, Lapsus$.

The two teenagers, a 16-year-old and a 17-year-old, each face three counts of unauthorized access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorized access to a computer with intent to hinder access to data. The 16-year-old also faces one count of “causing a computer to perform a function to secure unauthorized access to a program.”

What is the Lapsus$ hacker group?

Lapsus$ is a cybercriminal gang that, in a matter of months, has terrorized and held some of the biggest tech companies for ransom. Okta, Microsoft, Nvidia, Ubisoft, Samsung, and Vodafone have all had hundreds of internal files, source-code, and consumer data dumped online by Lapsus$.

Notorious for their severe, far-reaching impact, the wounds of Lapsus$ hacks are felt through hundreds of other partnering companies. For instance, when Lapsus$ hacked Okta, some 366 companies had possibly been impacted by the attack. Other victim-companies had projects with Apple, Google Cloud, Slack, London’s Metropolitan Police, and City of London Police (the police department that just arrested an alleged member of Lapsus$.)

What can we learn?

If Apple and Meta employees were so easily fooled by a message from a police email address, then we have to start looking at ourselves. Yes, verification procedures are vital in cybersecurity, but employees are more often the weakest link.

Assuming Lapsus$ was responsible for the attack on Apple and Meta, all it had to do was send an urgent looking email from a legitimate police email account to steal users’ most personal details. Trickery or social engineering attacks like these are (at risk of sounding facetious) one of the most cost-effective ways to hack.

One of our own security researchers was quick to comment on the failures of Apple and Meta’s security, reminding us that, “The fact that minors were able to exploit a loophole is why the process of how companies cooperate with law enforcement should be strict and clearly defined.”