April 29, 2022 – Leading tech companies, including Facebook’s parent organisation Meta and Apple, have been tricked by bogus legal requests into providing sensitive personal information of their users, reveals a report published by Bloomberg. The data has reportedly been used to harass and sexually extort minors.
Other companies that were fooled into giving up data to forged requests are Google, Twitter, Snap, and Discord. The four federal law enforcement officials and two industry investigators requested anonymity as they lifted the lid on the shocking online crime involving underage victims.
According to the report, specific women and minors have been targeted with the illegally obtained data. In some cases, the victims were forced to create and share sexual material and were threatened with retaliation if they refused. It is, however, not clear how the data was used to extort minors.
The investigators consider the tactic to be the newest tool to not only benefit financially from the fraudulently acquired data but also to harass and extort users. What has sent shock waves across the tech world is the attackers’ ability to successfully dupe the world’s leading companies by impersonating law enforcement officers.
“I know that emergency data requests get used in real-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children,” says Alex Stamos, a former chief security officer at Facebook.
“In 2021, we uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials,” a Google spokesperson says. “We quickly identified an individual who appeared to be responsible and notified law enforcement. We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests.”
Twitter and Apple did not return Bloomberg’s request for comment. However, a Discord spokesperson said that the platform validates all emergency requests.
The data provided in response to emergency requests varies by companies but usually includes the name, email and residential addresses, and IP address. However, companies are not bound to respond to emergency requests as they do not carry a court order signed by a judge.
Some companies may provide more data and, though innocuous this data may seem, it can be weaponised by attackers using several harassment techniques.
