IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hacktivist breaches private security app Citizen

Hacker leaks data from app detailing 1.7 million public safety incidents

A hacker has posted 1.7 million records owned by private security app Citizen on the dark web.

The hacktivist, who identified themselves as a member of the loosely coupled Anonymous collective, scraped data en masse from Citizen-owned systems. Citizen collects and publishes information about crimes happening in real time. 

The data set included logs of police activity in different cities and the metadata from videos uploaded to the app. It also included links to 1.5 million videos stored on the company's servers, representing 70TB of footage, reported Motherboard.

Launched in 2016, Citizen began as Vigilante, an app that harvested emergency radio calls and documented where crime was happening in real time. Apple initially pulled it from the app store for allegedly encouraging vigilante activity, but it relaunched the following year. It now includes the ability for users to live stream incidents and report emerging crime events themselves.

The hacker, who posted the data on a dark website titled The Concerned Citizen's Citizen Hack, scraped it by analyzing how the website stores videos and finding the original files on an AWS S3 bucket. They used the same API as Citizen's app to retrieve the ID of the crime incident linked to the video file and downloaded the incident data in bulk. The videos in the S3 bucket reportedly included some tagged for removal by moderators but were still accessible via a direct link.

Citizen responded that all the scraped information was already publicly available on the company's website.

Related Resource

Protecting your dispersed workforce

Cyber security in the new normal

how to protect remote workersDownload now

The hacker's dark website also includes contact tracking data from Citizen, which operates its own COVID-19 contact tracking app called SafePass. In a major privacy stumble, the company reportedly exposed tracking data to the public by mistake, including self-reported symptoms and test results, linked to their Citizen usernames.

This month, Citizen was in the news after a live stream from the app with over a million views sparked a manhunt in California. The app showed the name and photo of a man believed to have started a wildfire, but he turned out to be innocent. In May, Motherboard discovered the company had been testing the idea of a private security force after vehicles branded with the Citizen logo were photographed in Los Angeles.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022