Hackers tricked multiple large companies, including Apple, Meta and Discord, into turning over user data by complying with fake emergency data requests (EDR) seeming to come from official sources.
Companies that deal with private user information usually comply with law enforcement requests. There's often a warrant behind such requests, but there are exceptions, and criminals take advantage by tricking companies into thinking they are dealing with the police. It turns out that it's a much bigger problem than it appears.
Security journalist Brian Krebs was the first to report on this significant issue. He talked with various hackers who explained just how common these tactics are. One of them even explained how an EDR was sent to Discord to unveil details on an 18-year old person from Indiana.
Companies usually verify requests from law enforcement, but they don't have specific tools for it. Most of the time, employees see that the request comes from a valid domain and respond with the data within 30 minutes.
Unfortunately, hackers compromise legitimate law enforcement email accounts, which are then used to send these requests, making them look legit.
"While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor," Discord told Krebs. "We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account."
But Discord was not the only target. According to a Bloomberg investigation, both Apple and Meta and other companies have been targeted with such requests since early 2021. The EDRs arrive from compromised law enforcement accounts and are accompanied by forged signatures and real names. The investigation revealed that both Apple and Meta have complied with fake requests, although the companies aren’t commenting on it.
Incidents such as companies revealing personal information after complying with fake emergency requests are one of the reasons why people should be aware when their information leaks or lands on the darknet. A privacy-focused service that helps you take control and manage your digital self can help speed the recovery process and prevent any further financial damages. Bitdefender's Digital Identity Protection tool can help you manage your digital footprint and practice good cyber hygiene.
Subscribers receive real-time data breach notifications with easy-to-use one-click resolve items to shut down privacy threats alongside a complete mapping of their digital persona and even a way to sniff out any potential social media impersonators.