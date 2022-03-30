Apple and Meta, the parent company of Facebook, provided customer data to hackers who pretended to be law-enforcement officials, sources said.

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests".

Normally, such requests are only provided with a search warrant or subpoena signed by a judge, the sources said. But emergency requests do not require a court order.

Snap received a forged legal request from the same hackers, but it is not known whether the company provided data in response.

It is also not clear how many times the companies provided data after receiving forged legal requests.

Read More Teenager who hacked Elon Musk's Tesla says companies should be very afraid

Cyber-security researchers suspect that some of the hackers sending the forgeries are minors in the UK and the US.

One minor is also believed to be the leader of the cyber-crime group Lapsus$, which hacked Microsoft, Samsung and Nvidia, among others, the sources said.

City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group. The inquiry is continuing.

An Apple representative referred Bloomberg News to a section of its law-enforcement guidelines.

The guidelines say a supervisor for the government or law-enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate".

“We review every data request for legal sufficiency and use advanced systems and processes to validate law-enforcement requests and detect abuse,” Meta spokesman Andy Stone said.

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Snap had no immediate comment on the case, but a representative said the company had protection in place to detect fraudulent requests.

Law enforcement around the world routinely asks social media platforms for information about users as part of criminal investigations. In the US, such requests usually include a signed order from a judge.

The emergency requests are intended to be used in cases of imminent danger.

Hackers affiliated with a cyber-crime group known as “Recursion Team” are believed to be behind some of the forged legal requests.

The requests were sent to companies throughout 2021, the sources said.

Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$, they said.

The information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns, one source said.

The sources said it might be primarily used in financial fraud schemes. The hackers could use the victim’s information to try to bypass account security.

Expand Autoplay Facebook CEO Mark Zuckerberg takes his seat to testify before the Senate Commerce, Science and Transportation Committee and the Senate Judiciary Committee joint hearing on 'Facebook, Social Media Privacy, and the Use and Abuse of Data' on Capitol Hill in Washington, DC, USA. Michael Reynolds / EPA

The fraudulent legal requests are part of a months-long campaign against many technology companies and began as early as January 2021, the sources said.

The requests are believed to be sent through hacked email domains belonging to law-enforcement agencies in several countries.

The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers.

By compromising law-enforcement email systems, the hackers may have found legitimate legal requests and used them as a template.

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B.

“I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”