Apple, Facebook May Have Given Private User Info to Hackers, Report Says

The data was reportedly handed over in response to forged legal requests.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Corinne Reichert
2 min read
Meta and Facebook

The info reportedly given to hackers included user addresses and phone numbers.

James Martin/CNET

Apple and Facebook parent company Meta may have handed over private customer information including addresses, phone numbers and IP addresses last year in response to hackers who presented forged legal documents, a report says.

The data was given to hackers pretending to be law enforcement, who used faked emergency data requests in mid-2021, Bloomberg reported Wednesday citing three unnamed sources.

While not specifically stating whether they handed over user data, Apple and Meta both pointed to their processes for dealing with emergency government requests.

"We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse," Meta spokesperson Andy Stone said in an emailed statement. "We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case."

Apple pointed to its Law Enforcement Guidelines, Section II E, paragraph 3 of which says: 

"If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate."

Snapchat owner Snap also reportedly received one request for data, but it's unclear whether the company complied. A Snap spokesperson told CNET via email that Snap has safeguards built into its processes to spot any fraudulent law enforcement requests, including when made by hackers.

According to Bloomberg, some of the hackers could be minors located in the US and the UK, with one possibly behind the recent Lapsus$ cyberattacks on Microsoft, Samsung and Nvidia.