The FBI has issued an urgent warning about an increasing trend of cybercriminals exploiting compromised law enforcement and government email accounts to obtain private user data from U.S.-based technology companies. These fraudulent “emergency” data requests allow hackers to access sensitive information, including email addresses and phone numbers, under the guise of urgent situations, such as life-threatening threats.
Surge in Fraudulent Requests Raises Alarm
The FBI’s recent notice highlights a disturbing rise in the misuse of emergency data requests, a process intended to allow law enforcement to quickly access private data during critical moments when there’s no time to obtain a court order. Though this type of data request has been misused before, the FBI noted a sharp uptick in criminal activity related to these requests, particularly since August of this year.
Hackers are now using compromised U.S. and foreign government email accounts to submit fake emergency requests to tech companies. These requests allow criminals to collect personal user data, which is then exploited for malicious purposes such as identity theft, harassment, and financial scams.
How Emergency Data Requests Are Meant to Work
In the U.S., law enforcement agencies usually need legal approval to access a person’s private data, typically requiring a court-issued search warrant for sensitive information, such as emails or stored files. For less sensitive data, like account names and phone numbers, companies may respond to subpoenas, which don’t require court approval.
However, emergency data requests are intended for situations where immediate action is needed to protect someone’s life or property. In such cases, law enforcement can bypass the usual legal processes. Unfortunately, criminals have begun to exploit this expedited procedure, using stolen law enforcement credentials to submit fraudulent requests, deceiving tech companies into disclosing personal data.
Cybercriminals Targeting Tech Giants
The FBI’s advisory reveals that cybercriminals have been advertising their access to compromised law enforcement email accounts since 2023. These groups impersonate officials, sending fake legal demands to tech companies and tricking them into sharing user information.
In some cases, these fraudulent requests included fabricated threats, such as false claims of human trafficking or dire warnings that someone could “suffer greatly or die” if their data wasn’t quickly handed over. By posing as legitimate law enforcement, hackers have been able to bypass verification systems and gain access to private data, including phone numbers, email addresses, and usernames.
While some fraudulent attempts have been flagged and blocked by tech companies, the threat remains significant.
Impact on Tech Companies and Their Users
Companies like Apple, Google, Meta (which owns Facebook and Instagram), and Snap (the maker of Snapchat) process thousands of emergency data requests each year, making them prime targets for this type of attack. According to a 2022 Bloomberg report, hacker groups such as Recursion Team and Lapsus$ have exploited this vulnerability to access user data from major companies since at least 2021.
When hackers successfully obtained personal data, it was typically used for malicious purposes like harassment, doxing (publishing private information), or targeting individuals with financial fraud schemes. These attacks underscore the severe consequences of compromised data and the growing danger to users’ privacy.
Strengthening Cybersecurity to Combat Abuse
In response to this growing threat, the FBI has urged law enforcement agencies to bolster their cybersecurity defenses. Recommended steps include using stronger passwords and multi-factor authentication to safeguard sensitive accounts. These practices are crucial to preventing unauthorized access and reducing the risk of email accounts being hijacked by criminals.
For private companies, the FBI advised heightened caution when processing emergency data requests. Given that cybercriminals are well aware of the urgency surrounding these requests, the FBI emphasized the need for companies to critically assess the legitimacy of each request, even if it seems time-sensitive.
