Hacktivist breaches private security app Citizen

Hacker leaks data from app detailing 1.7 million public safety incidents

A hacker has posted 1.7 million records owned by private security app Citizen on the dark web.

The hacktivist, who identified themselves as a member of the loosely coupled Anonymous collective, scraped data en masse from Citizen-owned systems. Citizen collects and publishes information about crimes happening in real time. 

The data set included logs of police activity in different cities and the metadata from videos uploaded to the app. It also included links to 1.5 million videos stored on the company's servers, representing 70TB of footage, reported Motherboard.

Launched in 2016, Citizen began as Vigilante, an app that harvested emergency radio calls and documented where crime was happening in real time. Apple initially pulled it from the app store for allegedly encouraging vigilante activity, but it relaunched the following year. It now includes the ability for users to live stream incidents and report emerging crime events themselves.

The hacker, who posted the data on a dark website titled The Concerned Citizen's Citizen Hack, scraped it by analyzing how the website stores videos and finding the original files on an AWS S3 bucket. They used the same API as Citizen's app to retrieve the ID of the crime incident linked to the video file and downloaded the incident data in bulk. The videos in the S3 bucket reportedly included some tagged for removal by moderators but were still accessible via a direct link.

Citizen responded that all the scraped information was already publicly available on the company's website.

Related Resource

Protecting your dispersed workforce

Cyber security in the new normal

how to protect remote workersDownload now

The hacker's dark website also includes contact tracking data from Citizen, which operates its own COVID-19 contact tracking app called SafePass. In a major privacy stumble, the company reportedly exposed tracking data to the public by mistake, including self-reported symptoms and test results, linked to their Citizen usernames.

This month, Citizen was in the news after a live stream from the app with over a million views sparked a manhunt in California. The app showed the name and photo of a man believed to have started a wildfire, but he turned out to be innocent. In May, Motherboard discovered the company had been testing the idea of a private security force after vehicles branded with the Citizen logo were photographed in Los Angeles.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
MirrorBlast phishing campaign targets financial companies
phishing

MirrorBlast phishing campaign targets financial companies

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Cleaning up legacy IT to drag big tobacco into the future
digital transformation

Cleaning up legacy IT to drag big tobacco into the future

12 Oct 2021