Pierluigi Paganini October 21, 2023

A threat actor is selling access to Facebook and Instagram’s Police Portal used by law enforcement agencies to request data relating to users under investigation.

Cyber security researcher Alon Gal, co-founder & CTO of Hudson Rock, first reported that a threat actor is selling access to Facebook and Instagram’s Police Portal.

The portal allows law enforcement agencies to request data relating to users (IP, phones, DMs, device info) or request the removal of posts and the ban of accounts.

The threat actor is offering access for $700, and it appears it can have more than one existing account for the portal.

Gal speculates that either Meta was the victim of a social engineered attack that tricked an employee into giving attackers access to the portal or the threat actor had credentials for a legitimate law enforcement account.

“I believe it is likely that Meta was social engineered into providing access to the threat actor using their official form.” Gal told Security Affairs. “Alternatively, credentials of a law enforcement official may have been obtained by threat actors, which provided them access to the portal”

The threat actor can abuse access to the portal for multiple purposes, including unauthorized data requests, enabling harassment and doxxing, fake law enforcement actions, and the risk of identity theft, all of which pose serious privacy and security concerns for users.

The access to the official META Law Enforcement Portal.
Grants access to the Subpoena submission portal that may be used to extrapolate personal information about any Facebook or Instagram user.

Below the announcement published by the threat actor on Breach Forums

“The following requests can be made through the portal:
 – Subpoena: Comprehensive information gathering that will give you access to all the data Meta has gathered on the target, including IP addresses, phone numbers, emails, direct messages, deleted posts*, device information, and more. Additional submission of fake papers will be required during the subpoena process. Court orders/search warrants, M.L.A.T.s, and seizure warrants (which may permit account takeover but have not yet been tested) are a few possible papers.

 – Emergency Data Request: Issued in situations where there is a significant risk to human life, this request type doesn’t require falsified paperwork but comes with a significantly lower success rate and less comprehensive information.

 – Post Removal/Account suspension: Applicable when a user’s post is in violation of any law, to any degree, where you may request that the user’s account be suspended or that their post be taken down.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)