Some hackers have found an efficient way to retrieve someone’s personal data: they pose as an agent who urgently needs the information ‘for a matter of life or death’.
The method is as simple as it is genius. When formally requested information from a social network or other technology company, it must go through a court petition. But in life-or-death cases, the procedure takes too long, and you are asked to pass on the information in advance.
Security researcher Brian Krebs discovered that this is where things go wrong. With the help of hacked e-mail accounts of police officers, criminals can credibly and successfully send such data requests.
No concrete cases are mentioned, but the providers of such accounts promote the option to request data from Snapchat, Apple, Uber, Instagram, and others. Krebs notes that such accounts can be bought for a few hundred dollars on hacker forums. The risk you take is enormous but requires little technical knowledge.
De facto, they can request virtually anything such as chat logs, sent or received photos or locations. The tech companies are usually quick to respond to such an Emergency Data Request or EDR, wanting to quickly help prevent their procrastination that could lead to someone’s death, skipping internal processes.
The problem appears to be primarily, but not exclusively, in the US. Krebs notes that there are some 18,000 different police forces in the country alone, allowing tech companies to receive such requests from all quarters, using only the e-mail address to legitimize it as coming from a police force.