Hacktivist breaches private security app Citizen
Hacker leaks data from app detailing 1.7 million public safety incidents
A hacker has posted 1.7 million records owned by private security app Citizen on the dark web.
The hacktivist, who identified themselves as a member of the loosely coupled Anonymous collective, scraped data en masse from Citizen-owned systems. Citizen collects and publishes information about crimes happening in real time.
The data set included logs of police activity in different cities and the metadata from videos uploaded to the app. It also included links to 1.5 million videos stored on the company's servers, representing 70TB of footage, reported Motherboard.
Launched in 2016, Citizen began as Vigilante, an app that harvested emergency radio calls and documented where crime was happening in real time. Apple initially pulled it from the app store for allegedly encouraging vigilante activity, but it relaunched the following year. It now includes the ability for users to live stream incidents and report emerging crime events themselves.
The hacker, who posted the data on a dark website titled The Concerned Citizen's Citizen Hack, scraped it by analyzing how the website stores videos and finding the original files on an AWS S3 bucket. They used the same API as Citizen's app to retrieve the ID of the crime incident linked to the video file and downloaded the incident data in bulk. The videos in the S3 bucket reportedly included some tagged for removal by moderators but were still accessible via a direct link.
Citizen responded that all the scraped information was already publicly available on the company's website.
Protecting your dispersed workforce
Cyber security in the new normalDownload now
The hacker's dark website also includes contact tracking data from Citizen, which operates its own COVID-19 contact tracking app called SafePass. In a major privacy stumble, the company reportedly exposed tracking data to the public by mistake, including self-reported symptoms and test results, linked to their Citizen usernames.
This month, Citizen was in the news after a live stream from the app with over a million views sparked a manhunt in California. The app showed the name and photo of a man believed to have started a wildfire, but he turned out to be innocent. In May, Motherboard discovered the company had been testing the idea of a private security force after vehicles branded with the Citizen logo were photographed in Los Angeles.
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now