Numerous Big Tech companies have been duped into providing customers' sensitive personal information that was used to harass and even sexually extort minors, according to federal law enforcement officials and industry investigators.
The companies deceived by fraudulent legal requests included Meta Platforms Inc., Apple Inc., Alphabet Inc.’s Google, Snap Inc., Twitter Inc. and Discord Inc., according to three sources, Bloomberg reported Tuesday.
Bloomberg cited four federal law enforcement officials and two industry investigators as sources.
The obtained data was used to target specific women and minors, Bloomberg reported. In some cases, victims were pressured into creating and sharing sexually explicit material and were threatened with retaliation if they refused, the sources said.
"I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children," Alex Stamos, a consultant and former chief security officer at Facebook, told Bloomberg.
Bloomberg said the attackers successfully had impersonated law enforcement officers. It was not clear how often the fraudulent data requests were used to sexually extort minors.
Law enforcement and the technology companies were trying to assess the scope of the problem, which has become more prevalent in recent months.
Sources told Bloomberg that it was difficult for companies to know when they had been tricked into giving out user data because the requests appeared to come from legitimate law enforcement agencies.
"Police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behavior," Stamos told Bloomberg, "and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers."
A Google spokesperson said the company "uncovered a fraudulent data request coming from malicious actors posing as legitimate government officials" in 2021.
"We quickly identified an individual who appeared to be responsible and notified law enforcement," the spokesperson said. "We are actively working with law enforcement and others in the industry to detect and prevent illegitimate data requests."
Sources told Bloomberg that the method of the attacks varied, but they tended to start with the perpetrator compromising the email system of a foreign law enforcement agency.
The attacker then issued an "emergency data request" to a technology company, seeking information about a user’s account, the officers told Bloomberg.
Such requests are used by law enforcement to obtain information about online accounts in cases involving imminent danger such as suicide, murder, or abductions.
Four people told Bloomberg that many of the perpetrators were believed to be teenagers based in the U.S. and abroad.