The companies reportedly responded to customer emergency data requests and provided personal information such as addresses, phone numbers and even customers’ IP addresses.
In the U.S., companies are required to disclose personal information only if a search warrant or subpoena has been signed by a judge.
In this case, Apple and Meta were duped by forged documents containing forged legal applications that were considered legitimate because they had been signed by fictitious law enforcement agencies.
The hackers behind the data emergency requests are believed to be minors from the U.S., and U.K. The group is believed to be linked to one of two hacking groups known as the Recursion Team or Lapsus$.
It remains to be seen whether Lapsus$ or Recursion Team were behind the impersonation of law enforcement.