The FBI has issued a warning that hackers are exploiting emergency data requests—designed to assist law enforcement in life-or-death situations—to extract private user data, such as emails and phone numbers, from major U.S.-based tech companies. The alert reveals that hackers are infiltrating police and government email accounts to submit these requests fraudulently.
In a rare public statement, the FBI acknowledged an increase in fraudulent emergency data requests (EDRs), noting a rise in criminal discussions online about abusing this process. According to the agency, hackers have been increasingly active since August, accessing compromised U.S. and foreign government email accounts to pose as law enforcement and submit fake emergency requests to tech firms, which then unknowingly release private data.
Typically, when law enforcement needs private user information—such as emails, messages, or other personal data—there are legal steps to follow. Most data requests require court approval, with police needing to demonstrate probable cause of criminal activity to obtain a search warrant. However, emergency data requests bypass this requirement, intended only for urgent situations where waiting for a court order could endanger someone’s life or property. Cybercriminals are exploiting these emergency procedures by submitting fraudulent requests, taking advantage of tech companies’ efforts to cooperate in time-sensitive scenarios.
The FBI’s advisory also notes that some hackers have openly posted about gaining access to law enforcement email accounts from 2023 through 2024, using them to create authentic-looking subpoenas and other legal demands for user data. By doing so, hackers successfully requested usernames, emails, phone numbers, and other sensitive details. While not every fraudulent request was granted, several high-profile companies, including Apple, Google, Meta, and Snap, were affected by similar schemes, according to reports from Bloomberg in 2022.
In some instances, the fraudulent requests included urgent, fabricated scenarios, such as allegations of human trafficking or claims that an individual’s life was at imminent risk. These scare tactics often resulted in the companies releasing private user data to hackers posing as police.
Hackers frequently misuse this information for harassment, doxing, and financial fraud. A 2022 Bloomberg report highlighted that groups such as Recursion Team and Lapsus$ have employed these techniques since 2021, often targeting tech giants like Uber and Meta. Given the vast amount of sensitive data stored by companies like Apple and Meta, tens of thousands of EDRs are processed annually.
The FBI has urged law enforcement to strengthen cybersecurity practices, recommending strong passwords and multi-factor authentication to prevent unauthorized access to email accounts. Additionally, the FBI advises companies to carefully scrutinize emergency data requests, given that hackers increasingly leverage urgency to bypass verification.
