Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

Although the data provided was limited, it was enough for the hackers to work on and use to target and harass specific women or sexually extort minors. In some instances, the data was used to pressure victims to create and share more sexually explicit material or—in one sinister case—carve the perpetrator’s name into their skin and share photos of it.

Typically, no company is under any legal obligation to respond to emergency data requests as these don’t include court orders. However, it is accepted practice that tech companies comply with such requests as a sign of “good faith.”

Former Facebook Chief Security Officer (CSO) turned consultant Alex Stamos said in an interview with Bloomberg:

“I know that emergency data requests get used in real life-threatening emergencies every day. It is tragic that this mechanism is being abused to sexually exploit children.”

When victims refuse, they are subjected to swatting, doxxing, and other harassment techniques.

People close to the issue revealed that Apple, Alphabet (Google’s parent company), Discord, Meta (Facebook’s parent company), and Twitter were the companies who complied with the bogus requests. The data that was handed over varies per company but generally includes the name, IP address, email address, and physical address.

Law enforcement and investigators consider the tactic of exploiting legitimate channels as “the newest criminal tool” to acquire data from tech companies. This is unsettling in several ways. First, attackers can successfully impersonate police officers by compromising their agency’s email systems. Second, there is no way for tech companies to identify if such requests are fraudulent or not. Third, victims can’t protect themselves from such attacks unless they completely delete their accounts.

This tactic has become prevalent in recent months.

According to Stamos:

“Police departments are going to have to focus on preventing account compromises with multi-factor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers.”

Many believe that the perpetrators of these attacks are teenagers based in the US and also abroad. This is potentially based on their methods of retaliation against victims who resist them.

Unit 221b’s Chief Research Officer Allison Nixon told Bloomberg that law enforcement and the cybersecurity industry must prioritize threats led by underage perpetrators.

“We are now witnessing their transition to organized crime, and all the real world violence and sexual abuse that comes with it,” Nixon said. They are causing serious harm, so “we need to start treating them like adults,” she said—a sentiment echoed by many in the cybersecurity industry.