In response to fraudulent legal requests, companies like Apple, Google, Meta and Twitter have been tricked into sharing sensitive personal information about some of their customers. We knew that was happening as recently as last month when Bloomberg on hackers using fake emergency data requests to carry out financial fraud. But according to a from the outlet, some malicious individuals are also using the same tactics to target women and minors with the intent of extorting them into sharing sexually explicit images and videos of themselves.
It’s unclear how many fake data requests the tech giants have fielded since they appear to come from legitimate law enforcement agencies. But what makes the requests particularly effective as an extortion tactic is that the victims have no way of protecting themselves other than by not using the services offered by those companies. Law enforcement officials and investigators Bloomberg spoke to told the publication they believe the use of the tactic has become “more prevalent” in recent months.
All the companies that commented on Bloomberg’s reporting, including Google and Snap, said they have policies and teams in place to verify the legitimacy of user data requests.
"We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesperson Andy Stone told Engadget. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case."
A Discord spokesperson said the company validates all data requests to ensure they come from a “genuine” source. “We are continuously investing in our Safety capabilities to address emerging issues like this one,” the spokesperson added.
Part of what has allowed the fake requests to slip through is that they abuse how the industry typically handles emergency appeals. Among most tech companies, it’s standard practice to share a limited amount of information with law enforcement in response to “good faith” requests related to situations involving imminent danger.
Typically, the information shared in those instances includes the name of the individual, their IP, email and physical address. That might not seem like much, but it’s usually enough for bad actors to harass, dox or SWAT their target. According to Bloomberg, there have been “multiple instances” of police showing up at the homes and schools of underage women.
The issue of fake data requests is reportedly prompting companies to think of new ways to verify legitimate ones. It has also pushed US lawmakers to weigh in on the issue. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake," said Senator Ron Wyden of Oregon last month. "But the current system has clear weaknesses that need to be addressed."