Hackers got user data from Meta with forged request
FACEBOOK owner Meta gave user information to hackers who pretended to be law enforcement officials last year, a company source said Wednesday, highlighting the risks of a measure used in urgent cases.
Imposters were able to get details like physical addresses or phone numbers in response to falsified “emergency data requests,” which can slip past privacy barriers, said the source who requested anonymity due to the sensitivity of the matter.
Criminal hackers have been compromising email accounts or websites tied to police or government and claiming they can’t wait for a judge’s order for information because it’s an “urgent matter of life and death,” cyber expert Brian Krebs wrote Tuesday.
Bloomberg news agency, which originally reported Meta being targeted, also reported that Apple had provided customer data in response to forged data requests.
Apple and Meta did not officially confirm the incidents, but provided statements citing their policies in handling information demands.
When US law enforcement officials want data on a social media account’s owner or an associated cell phone number, they must submit an official court-ordered warrant or subpoena, Krebs wrote.
But in urgent cases authorities can make an “emergency data request,” which “largely bypasses any official review and does not require the requestor to supply any court-approved documents,” he added.
Meta, in a statement, said the firm reviews every data request for “legal sufficiency” and uses “advanced systems and processes” to validate law enforcement requests and detect abuse.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” the statement added.
Apple noted its guidelines, which say that in the case of an emergency application “a supervisor for the government or law enforcement agent who submitted the... request may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Krebs noted that the lack of a unitary, national system for these type of requests is one of the key problems associated with them, as companies end up deciding how to deal with them.
“To make matters more complicated, there are tens of thousands of police jurisdictions around the world – including roughly 18,000 in the US alone – and all it takes for hackers to succeed is illicit access to a single police email account,” he wrote.
This comes as a Washington Post report Wednesday partially confirmed by AFP emerged, accusing Meta of hiring a consulting firm to carry out a US campaign denigrating its fierce rival TikTok.
The campaign reportedly includes placing letters in major US news outlets and promoting negative stories about TikTok, allegedly using the type of tough tactics familiar to Washington politics.
Meta, which shed hundreds of billions in value earlier this year due to doubts about its future, is in a pitched fight against the video sharing platform popular with young social media fans.
“We believe all platforms, including TikTok, should face a level of scrutiny consistent with their growing success,” Meta told AFP in a one-line statement in response to the article.
The consulting firm, Targeted Victory, confirmed having worked for Meta and did not deny having put forward negative information about TikTok.
“We’re proud of the work we’ve done to highlight the dangers of TikTok,” the firm’s CEO Zac Moffatt tweeted.
Employees at Targeted Victory worked to undermine TikTok, which is owned by Chinese company ByteDance, by promoting an effort to have it portrayed as a danger to American children, the Post reported, citing the firm’s internal emails.
The Post quoted one message saying Targeted Victory needed to “get the message out that while Meta is the current punching bag, TikTok is the real threat especially as a foreign owned app that is #1 in sharing data that young teens are using.”
One effort reportedly included getting parents to sign on to letters raising concerns that were submitted to US newspapers, some of which published them.
Targeted Victory also alerted elected officials and journalists to alleged trends on TikTok that encouraged students to vandalize their school premises, known as “devious licks” or the “slap a teacher” challenge.
The “challenge” urging young users to attack teachers did not start on TikTok, but on Facebook, according to an investigation by the “Reply All” podcast, with the investigator unable to find any videos on this topic on TikTok.
“We are deeply concerned that the stoking of local media reports on alleged trends that have not been found on the platform could cause real world harm,” TikTok told AFP in a statement.
Moffatt, the Targeted Victory CEO, also argued the Post article “mischaracterizes the work we do,” citing examples including the characterization of people who signed the letters sent to newspapers.
“The story infers that the words of the letters to the editor were not the authors’ own, nor did they know of Meta’s involvement. That is false,” he tweeted.
When contacted by AFP, the people cited as signing the letters did not respond to requests for comment.