In response to fraudulent legal requests, companies like Apple, Google, Meta and Twitter have been tricked into sharing sensitive personal information about some of their customers. Reportedly, hackers are using fake emergency data to extort women and minors.
Exploiting Fake Emergency Data
Recently, Bloomberg published a report on hackers using fake emergency data requests to carry out financial fraud. But according to a newly published report from the outlet, some malicious individuals are also using the same tactics to target women and minors with the intent of extorting them into sharing sexually explicit images and videos of themselves.
It’s unclear how many fake emergency data requests the tech giants have fielded since they appear to come from legitimate law enforcement agencies. But what makes the requests particularly effective as an extortion tactic is that the victims have no way of protecting themselves other than by not using the services offered by those companies. Law enforcement officials and investigators Bloomberg spoke to told the publication they believe the use of the tactic has become “more prevalent” in recent months. All the companies that commented on Bloomberg’s reporting, including Google and Snap, said they have policies and teams in place to verify the legitimacy of user data requests.
Validating Data Requests
A Discord spokesperson said the company validates all data requests to ensure they come from a “genuine” source. Part of what has allowed the fake requests to slip through is that they abuse how the industry typically handles emergency appeals. Among most tech companies, it’s standard practice to share a limited amount of information with law enforcement in response to “good faith” requests related to situations involving imminent danger.
Typically, the information shared in those instances includes the name of the individual, their IP, email and physical address. That might not seem like much, but it’s usually enough for bad actors to harass, dox or SWAT their target. According to Bloomberg, there have been “multiple instances” of police showing up at the homes and schools of underage women.
The issue of fake emergency data requests is reportedly prompting companies to think of new ways to verify legitimate ones. It has also pushed US lawmakers to weigh in on the issue. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake,” said Senator Ron Wyden of Oregon last month. “But the current system has clear weaknesses that need to be addressed.”