Hackers are creative if nothing else.
Normally when police want data, they need to provide a subpoena or warrant, but that is not required in all cases.
If there is a risk of imminent harm – life or death – the police can just ask a company for their data and they have to comply. They could say no, but if it turns out that it was a matter of life or death, they might be liable. And, from a PR standpoint, that would be really bad, too.
But there is really no way to verify that the documents are real or the claims are real.
Big ISPs get bombarded by these requests.
So what do the hackers do?
They hack a mailbox of some (usually smaller) law enforcement agency. Done right, there are no visible signs that this one mailbox has been hacked. Then they send an emergency data request (EDR) to the phone company or ISP.
Given that there are tens of thousands of police agencies around the country and the phone and Internet providers really don’t want to spend money to fund an overhead department, the companies just hand over the data. Besides, they don’t really care about protecting your information; the warrant thing is just to cover their posteriors.
Lapsus$, the group that hacked Okta and many others, offered fake warrant and subpoena service for between $100 and $250 per request. The head of Lapsus$ is a 14 year old kid. That probably gives you some idea that this is not that hard.
And there really is no easy fix. Credit: Brian Krebs