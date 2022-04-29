"I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children. Police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers."

Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators.The companies that have complied with the bogus requests includeaccording to three of the people. All of the people requested anonymity to speak frankly about theThe fraudulently obtained data has been used toaccording to the six people.The tactic is considered by law enforcement and other investigators to be theIt is particularly unsettling since the attackers are successfullyThe tactic is impossible for victims to protect against, as theaccording to the people.It's not clear how often the fraudulent data requests have been used to sexually extort minors. Law enforcement and the technology companies are still trying to assess the scope of the problem. Since the requests appear to come from legitimate police agencies, it's difficult for companies to know when they have been tricked into giving out user data, the people said.Nonetheless, the law enforcement officials and investigators said it appears the method has become more prevalent in recent months. Alex Stamos, a former chief security officer at Facebook who now works as a consultant said:A Google spokesperson said:workers review every data request for "legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse," a spokesperson said. Similarly, Rachel Racusen, aspokesperson, said the company carefully reviews each request it gets from law enforcement "to ensure its validity and have multiple safeguards in place to detect fraudulent requests."spokesperson said they validate all emergency requests.Emergency requests typically don't include a court order signed by a judge, so companies are usually under no legal obligation to provide data. But it isLast month, Bloomberg News reported thatthe parent company of Facebook,At that time, three people familiar with the matter said the fake requests appeared to beThe exact method of the attacks varies, but they tend to follow a general pattern, according to the law enforcement officers.Then, the attacker will forge an "emergency data request" to a technology company, seeking information about a user's account, the officers said.The attackers have used the information toaccording to the people. Many of the perpetrators are believed to be teenagers themselves based in the U.S. and abroad, according to four of the people.If the victims don't comply with the demands, the attackers have used several harassment techniques to retaliate, according to the people.One technique that has been deployed is calledIn multiple instances, underage women have been swatted at their homes and schools, the federal law enforcement officials said.Another approach, calledincluding phone numbers and physical addresses of victims and their family members, online. The information, which is sometimes obtained in part by fraudulent legal requests, is usually posted on sites dedicated to doxxing, which essentially serve as an open invite for other people on the site to harass the victim.In addition, perpetrators have threatened toaccording to the people. In a few instances, the victims have been pressured to carve the perpetrator's name into their skin and share photographs of it, according to the law enforcement officials and online chat transcripts reviewed by Bloomberg.The problem of forged legal requests is prompting companies to think of new ways to verify legitimate legal requests, according to a dozen people who are familiar with the matter.Matt Donahue, founder of Kodex, which creates software for companies to manage legal requests.In a statement last month,a Democrat from Oregon, said he was requesting information from technology companies about the practice of forged legal requests.Allison Nixon, chief research officer at the cybersecurity firm Unit 221b, saidadding that juvenile hackers are causing serious harm.