According to the sources, this involved data such as addresses, telephone numbers and IP addresses. That would have happened with a forged emergency data request.
Unlike a normal request for information, an emergency warrant does not require a court-signed document, such as a subpoena. Snap, the company behind Snapchat, also received a forged legal request from the same hackers. It is unknown if the company provided any information in response. It’s also not clear how many times the companies provided data in response to falsified requests.
Cybersecurity researchers suspect that some of the hackers are underage and located in the United Kingdom and the United States. One of the minors is also said to be the brain behind the hacker group Lapsus$, which hacked Microsoft, Samsung and Nvidia, among others, the sources said.
London police recently arrested seven people in connection with an investigation into Lapsus$. That investigation is still ongoing.
An Apple representative referred to the company’s law enforcement guidelines in a response to Bloomberg. The company did not comment further.
Meta says in a response to check every data request for legal adequacy. The company also claims to use sophisticated systems and processes to validate law enforcement requests and detect abuse. Affected accounts will be blocked as far as known. The company is working with law enforcement in response to incidents involving suspected fraudulent requests “as we did in this case.”
Law enforcement agencies around the world routinely ask social media platforms for information about users as part of criminal investigations. In the United States, such requests usually require a signed court order. The emergency requests, which are intended for use in the event of imminent danger, do not therefore have to be signed by a judge.