Skip to main content

Apple tricked into releasing personal data used to sexually extort minors

We learned last month that Apple was tricked into releasing personal data to hackers, after they posed as law enforcement officials with emergency data requests. A follow-up report reveals that some of this data was used to sexually extort minors.

The latest report also sheds light on how the hackers were able to fool Apple and other tech giants, including Facebook, Google, Snap, Twitter, and Discord …

Background

Usually, a company will only release customer data to law enforcement officials on receipt of a court order, and even then will scrutinize the request carefully, sometimes offering to supply only part of the data requested.

As this process takes time, there is an emergency data request procedure for use when there is an immediate risk of harm to one or more individuals. In these cases, companies do check that the request comes from a legitimate law enforcement contact, but supply the information first, and ask questions later.

Hackers used fake emergency data requests to persuade Apple and other companies to release user data. A new report explains how the data was misused, and provides some information on how the companies were fooled.

How Apple was tricked

Bloomberg reports that the attack generally relies on being able to use hacking or phishing to gain access to law enforcement email systems, so that the source of the requests appears genuine.

The exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers. It starts with the perpetrator compromising the email system of a foreign law enforcement agency.

Then, the attacker will forge an “emergency data request” to a technology company, seeking information about a user’s account, the officers said. Such requests are used by law enforcement to obtain information amount online accounts in cases involving imminent danger such as suicide, murder or abductions […]

The data provided varies by companies, but generally includes the name, IP address, email address and physical address. Some companies provide more data.

Cascade attacks used to extort victims

Although the data doesn’t sound like it amounts to much, it does provide enough information to allow further hacks and phishing attacks to be carried out against individual victims. Both perpetrators and victims are reported to include children.

The attackers have used the information to hack into victim’s online accounts or to befriend the women and minors before encouraging them to provide sexually explicit photos, according to the people. Many of the perpetrators are believed to be teenagers themselves based in the US and abroad, according to four of the people.

Bloomberg reports that some of the cases were horrifically extreme.

Perpetrators have threatened to send sexually explicit material provided by the victim to their friends, family members and school administrators if they don’t comply with the demands, according to the people. In a few instances, the victims have been pressured to carve the perpetrator’s name into their skin and share photographs of it

9to5Mac’s Take

The use of fake emergency data requests from legitimate law enforcement email addresses is a huge issue because it risks harm however companies respond. If they do release data with minimal checks, they run the risk of handing over personal information to hackers. If they delay long enough for more involved checks, it may be too late to help victims in genuine cases.

The obvious risk is that this becomes an increasingly common tactic. Significant resources need to be put into preventing and detecting this crime, and the punishment needs to reflect the severity of the potential consequences.

Photo: Alexander Krivitskiy/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear