The hackers used “compromised” email accounts and, posing as law enforcement officials, got hold of people’s personal data (the exact number is unknown). How reported Bloomberg, and both Facebook and Apple shared “basic subscriber data such as customer address, phone number, and IP address.” Discord provided “a history of the internet addresses of the Discord accounts associated with a particular phone number.” The hackers did the same with Snap, but it’s not clear if they got their hands on users’ personal data.
It is not uncommon for companies such as Apple and Facebook to share data with law enforcement, and these companies have dedicated teams to respond to such requests. Usually such requests are accompanied by a court order, but there are also “emergency” cases (EDR) when law enforcement requests data without it, for example, when someone’s life is in danger.
In this case, the hackers used this tactic to gain access to personal information about specific targets in order to “facilitate financial fraud schemes.” They were able to successfully trick companies into handing over data.
Meta (owns Facebook) spokesman Andy Stone told Bloomberg that the company has safeguards in place to screen legal requests and detect abuse.
“We are blocking known compromised accounts from sending requests and are working with law enforcement to respond to incidents of alleged fraudulent requests, as we did in this case,” he said.
Apple and Snap also pointed to the company’s guidelines, saying they have policies in place to verify the legitimacy of requests for user data.
“We can confirm that Discord has received requests from a legitimate law enforcement domain and has complied with the requests in accordance with our policies. We validate these requests to see if they come from a genuine source, which we did in this case. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by an attacker. We have since investigated this illegal activity and notified law enforcement of the compromised email account,” the company said.
Security researchers have linked some of the people involved in this scheme to the notorious LAPSUS$ hacker group, whose members allegedly hacked into Microsoft, Okta, NVIDIA, and Vodafone.