The FBI is warning that hackers are obtaining private user information — including emails and phone numbers — from U.S.-based tech companies by compromising government and police email addresses to submit “emergency” data requests.
The FBI’s public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone’s life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an “uptick” around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.
“Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory.
Police and law enforcement in the U.S. generally need some kind of legal justification to seek and obtain access to private data that companies store on their servers. Typically for a person’s private content, like their files, emails or messages, police need to provide enough evidence of a possible crime before a U.S. court will issue a search warrant allowing the police to request that information from a private company. Police can issue subpoenas — which don’t require going to a court — requesting companies to access limited amounts of information about a user, such as their basic account information, like their username, account logins, email addresses and phone numbers, and sometimes their approximate location.
There are also emergency requests, a procedure in which law enforcement can urgently seek a person’s information from a company in the event of an immediate risk, where there is no time to seek a court order.
It’s these emergency requests that federal authorities say some cybercriminals are abusing.
The FBI said in its advisory that it had seen several public posts made by known cybercriminals over 2023 and 2024, claiming access to email addresses used by U.S. law enforcement and some foreign governments. The FBI says this access was ultimately used to send fraudulent subpoenas and other legal demands to U.S. companies seeking private user data stored on their systems.
The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.
The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users. But not all fraudulent attempts to file emergency data requests were successful, the FBI said.
Cybercriminals often use the requested data for harassment, doxing, and targeting individuals with financial fraud schemes, according to a Bloomberg report from 2022, which found at the time that hackers had obtained user information from customers of Apple, and Facebook and Instagram-owner Meta, by filing fraudulent emergency data requests. Snap, the maker of Snapchat, and Discord were also reportedly targeted.
Apple, Google, Meta, and Snap, which store huge amounts of customers’ personal and private data, collectively receive tens of thousands of emergency data requests every year.
Bloomberg reported in 2022 that some of the fraudulent emergency data requests date as far back as early 2021, and were carried out by groups of mostly teenagers and young adults, such as Recursion Team, and later, Lapsus$, which went on to hack into some of the world’s largest companies, including Uber.
The FBI said in its advisory that law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication. The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”