Phone numbers, home addresses, and (yikes!) internet browsing histories have been handed right over to hackers who approached tech companies while posing as police, and what’s more, most of the hackers were teenagers.
Information security is admittedly a hard game, and tech companies do have a legitimate conflict between protecting users’ privacy and protecting the public at large from violent nutjobs. Plenty have criticized Facebook for allowing militias to organize on the platform, but at the same time, we criticize them when they hand data over to law enforcement. It’s a fine line to walk, and hackers have a new way of making those distinctions even more difficult.
The Verge reports that hackers are posing as law enforcement and requesting data, and apparently both Apple and Facebook did fall for it and comply. In these cases, the hackers were able to breach law enforcement databases and email systems, so the email requests did appear to be perfectly legitimate requests.
According to the Hill, “The companies provided user details such as addresses, phone numbers and IP addresses in mid-2021,” and that “It’s unclear how much data was turned over.”
Law enforcement generally needs a legitimate court order or subpoena to get such data. But there’s also an exception called an Emergency Data Request (EDR) wherein law enforcement — or someone posing as law enforcement — can claim that harm or danger is somehow imminent, and totally bypass subpoena requirements. And if a hacker group has pilfered law enforcement email credentials, apparently then it is off to the races collecting individual user data.
Neither Facebook/Meta nor Apple directly acknowledged being duped, but Facebook said they’d put safeguards in place in light of the findings. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Meta’s policy and communications director Andy Stone told The Verge.
Apple, for their part, merely pointed to their Legal Process Guidelines which say that the law enforcement agency affiliated with the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
“May be.”
What is simultaneously hilarious and terrifying about this scheme is that the hackers are apparently teenagers. Krebs on Security laments "The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim," and connects such low-tech means of data extortion to the recent major hackings of tech companies by the hacker collective called LAPSUS$.
Krebs interviewed an 18-year-old hacker who goes by KT, who'd managed to pull another person’s internet browsing history from the messaging and chat platform Discord. “One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year,” Krebs reports. “The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request.”
For their part, Discord was apparently far more reactive than Apple or Facebook. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor,” the company said in a statement to Krebs. “We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
So, yeah, when you hear about hacks, breaches, and ransomware attacks, do not automatically assume it was the Russians. It may have just been deplorable teenagers.
Related: Hackers Seize Jack Dorsey's Twitter, Make Bomb Threats, Praise Hitler [SFist]
Image: United Artists