Thu | Mar 31, 2022 | 3:17 PM PDT

It's relatively easy for your average Joe to unknowingly hand over some personal information to hackers. Maybe they fell for a social engineering scheme or just accidentally clicked on a malicious link while scrolling through emails.

But for two of the largest tech companies in the world to just give user data to hackers? You would think it would be a little more difficult.

This week, Apple and Meta are circling in the news cycle for providing customer data to hackers who impersonated law enforcement officials, according to a report from Bloomberg.

Bloomberg says the two tech giants gave hackers basic subscriber information, such as addresses, phone numbers, and IP addresses, in response to a fake "emergency data request."

Information requests like these typically come with search warrants or subpoenas signed by a judge, but emergency requests are intended to be used in cases of imminent danger and don't require a judge to sign off. 

Fraudulent data requests linked to Lapsus$

Security researchers believe that some of the threat actors sending out the fake data requests are teenagers located in the United Kingdom and the United States, with at least one of them being connected to the new Lapsus$ cybercrime gang.

Lapsus$ has been in headlines since the beginning of 2022, pulling off some high-profile hacks of big companies, including NVIDIA and Microsoft, gaining notoriety along the way.

Bloomberg reports that the individual connected in this data request scheme could be the mastermind behind Lapsus$.

But what have the hackers done with the user information after successfully fooling Apple and Meta?

According to people familiar with the case, the information has been used for harassment campaigns and to facilitate financial fraud schemes. The fraudulent requests began circulating in early 2021, and are thought to be sent via hacked email domains belonging to law enforcement agencies in multiple countries.

While it seems like Apple and Meta should have flagged these fraudulent requests, the two companies do frequently comply with emergency data requests from law enforcement.

From July through December of 2020, Apple received 1,162 emergency requests from 29 countries, providing data in 93% of those requests. From January through June of 2021, Meta received 21,700 emergency requests, providing data 77% of the time.

Meta says on its website:

"In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death."

It is certainly a difficult position to be in for the tech companies, as business leaders would surely provide information in an emergency situation, but when hackers take advantage of that knowledge, it's the users that suffer.

Apple and Meta were not the only companies tricked into supplying user information to hackers, though. Discord confirmed it had also responded to a fake request. The company said in a statement:

"We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account."