Hackers are using police email addresses to trick tech companies into handing over private user data.

Hackers Are Using Police Emails to Send Tech Companies Fraudulent Data Requests

The way that law enforcement is given authority to peer into our lives is already concerning enough, but that same ability is apparently being exploited by people who haven’t even been granted the authority. The FBI has issued a public notice warning that hackers are fraudulently obtaining people’s private information from tech companies by compromising police email accounts to send “emergency” data requests.

Typically, law enforcement needs a court-ordered search warrant in order to obtain data from an online account. Or a subpoena that doesn’t require going to court can be used to get some basic information. But “emergency” requests are another procedure through which law enforcement can urgently seek a user’s personal information in the event of an immediate risk, under the belief that there’s not even enough time to go to court. Think of the instances when mass shooters have streamed their massacres live.

The problem, as TechCrunch first reported, is that these requests are often sent to the tech giants through specific email addresses. And of course, persistent hackers are pretty good at breaking into email accounts, especially ones that often aren’t two-factor secured—but even those are penetrable through hacks like SIM swapping.

Think of it almost akin to the way in which Apple doesn’t build backdoors into iOS out of fear that authoritarian states would be able to crack open those doors and use them for ill. Law enforcement has a backdoor way of getting information on people quickly, and hackers are exploiting it.

TechCrunch continues:

The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.

Stolen information can be used by hackers to harass, doxx, or steal the identities of their targets, among other potential uses. Doxxing is a big thing in the hacker community in particular. A serial teenage hacker, Arion Kurtaj, was taken down last year after some of his competitors in the community decided to retaliate against him and publish all his personal information online. And in online gaming, teenagers sometimes retaliate against other players by finding their home addresses and swatting them, which has in the past turned deadly. The FBI says hacker groups have advertised their ability to send emergency requests.

The FBI is calling on law enforcement to ensure accounts are better protected through stronger passwords and multi-factor authentication. It also says that tech companies should use their gut more when evaluating emergency requests and not simply roll over for any government demand.

This should all serve as another reminder that legislators and the public should be very careful whenever law enforcement are granted any further surveillance capabilities. Police will expand their surveillance capabilities as much as they’re allowed. There are all kinds of potential consequences, expected and unexpected.

Leave a Comment

Your email address will not be published. Required fields are marked *