Apple, others, inadvertently released customer data used to exploit minors and women


Apple, along with Meta's Facebook, Alphabet's Google, Snap, Twitter, and Discord reportedly were tricked into releasing sensitive customer data. The perpetrators posed as law enforcement to fraudulently obtain the data. We now know that the lack of controls resulted in the targeting of underaged customers and women.

Bloomberg:

The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the six people.

The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but to extort and harass innocent victims.

It is particularly unsettling since the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service, according to the people.

Data released are reportedly name, IP address, email address, and physical address, although more data may have been released in some situations. This information was reportedly used to threaten and harass individuals into, in some cases, providing sexually explicit photos. Bloomberg reports the scope of the disclosures is unknown since the companies seem unable to distinguish past fraudulent requests.

This episode demonstrates the risk of sharing personally identifiable information. Even if companies have the best intentions in using the data, your data can still be released due to a lack of internal controls. These requests should be verified with the requesting agency and also have a review process to discover exploits reported here.