Apple could have unknowingly provided user data to a group of hackers masquerading as government officials last year. Apple didn’t explicitly confirm what happened, but reports suggest the iPhone maker wasn’t the hackers’ only target firm.

In a social engineering scam from 2021, hackers posed as law enforcement officials and sought user data from Apple using “emergency data requests.” Based on information from three sources familiar with what happened, Bloomberg reports that the bad actors convinced Apple to share data, including customer addresses, phone numbers, and IP addresses.

The forged emergency data requests require companies to respond and give the enforcement agencies the data immediately. The request is unlike a subpoena or search warrant generated after due legal processes because emergency requests are used to handle imminent threats. When Bloomberg requested Apple to comment on the matter, a company representative suggested the publication refer to Apple’s law enforcement guidelines. The guidelines say a government supervisor or law enforcement officer who submitted the request should be asked to confirm if the emergency request was legitimate.

The hackers successfully forged the emergency data requests by taking over law enforcement email domains in various countries. Forged signatures of real or made-up officials were also used to make the requests appear legitimate and convincing. The report adds that some of the hackers could be minors from the US or UK, and at least one such hacker was also a Lapsus$ group member. For the uninitiated, Lapsus$ is a hacker outfit that targeted technology majors such as Microsoft, Samsung, and NVIDIA in potentially disastrous ransomware attacks.

Meta-owned social media giant Facebook also unwittingly handed confidential user data to the same group of hackers known as the “Recursion Team.” Facebook reportedly confirmed that it is working with the authorities on the fraudulent requests.

According to the report, the data hackers obtained from Apple and Facebook has been used for targeted harassment campaigns and committing financial fraud. If you want to dig deeper and understand all about this type of social engineering attack, KrebsOnSecurity has explained it in-depth in a post.