You’d think the titans of Big Tech would run backup checks on anyone demanding private user data. But last year, we learned just how easy it is to pull the wool over a company’s eyes. A gang of mysterious hackers forged legal requests to trick Google and Meta into sharing user addresses, phone numbers and more.
Even worse, it may have been child’s play: Some experts suspect a gang of teens is behind the enormous data breach. The teens allegedly pretended to be law enforcement officials and submitted forged legal requests. Tap or click here for a surprising trick to recognize forgery.
It’s pretty standard for law enforcement officers to ask tech companies for user details. But it’s rare for companies to fall for forged requests hook, line and sinker. Here’s how the hackers pulled off the con and what to do if you’re collateral damage.
All data breaches are big deals, but this one’s especially gnarly
So far, the hackers have used the information they stole to spearhead harassment campaigns, Bloomberg reports. They can use the information to take over accounts or trigger financial fraud.
Don’t think for a moment that this is an isolated incident. The attacks on Meta and Apple are part of a campaign targeting Big Tech companies.
Bloomberg speculates that the hackers roamed through email inboxes after breaking into law enforcement email systems. That’s when the hackers may have discovered official emergency data requests.
They may have used these requests as templates for their forged legal requests. (Remember that we don’t know for sure how it happened; this is all speculation.) Tap or click here to avoid a phishing attack that lets hackers read and send emails from your account.
Ever heard of an emergency data request? Here’s a quick overview
When police are investigating crimes, they often turn to technology for answers. They’ll ask social media platforms to help out by sending an official court-ordered warrant or subpoena. In other words, a judge has to sign off on the request.
The rules are slightly different when we’re talking about emergency data requests. In these cases, time is of the essence, so the rules are a bit looser. Officials don’t have to wait for a judge’s approval before sending the request. Usually, officers send them out in high-stakes situations, like when someone is in danger.
Thus, when the hackers sent out these requests, Facebook and Meta officials thought they were doing the right thing. They shared user data to help officers but ended up contributing to harassment campaigns.
The aftermath of the teens’ forged legal requests scheme
English police have made multiple arrests in recent weeks. Authorities say the Lapsus$ hacking group may be behind the attack. This group has attacked many tech giants, from Samsung and Nvidia to Okta and Microsoft.
In late March, British authorities arrested seven people over suspected connections to the group. They’re now investigating a 16-year-old from Oxford, U.K., according to WePC.com. They suspect one teen could be the mastermind behind the operation.
How this impacts you
It’s easy to be desensitized when it comes to data breaches. But you need to be alert because complacency can put you at a considerable disadvantage.
Think of it this way: Every data breach you’re a part of leaks a little information. These data points are like puzzle pieces. As more and more companies are breached, more puzzle pieces are exposed to the public.
Hackers can put all those pieces together if you don’t protect yourself. Then they can turn around and use that informational jigsaw puzzle to impersonate you. Since data breaches can lead to identity theft, you must be on guard.
A thief who steals your private information can take over your bank accounts and even commit crimes in your name. Tap or click here for free identity theft protection. Check out the guides below for a few more ways to protect yourself.