Hacktivist breaches private security app Citizen

A hacker in a darkened room with digital maps and computer equipment
(Image credit: Shutterstock)

A hacker has posted 1.7 million records owned by private security app Citizen on the dark web.

The hacktivist, who identified themselves as a member of the loosely coupled Anonymous collective, scraped data en masse from Citizen-owned systems. Citizen collects and publishes information about crimes happening in real time.

The data set included logs of police activity in different cities and the metadata from videos uploaded to the app. It also included links to 1.5 million videos stored on the company's servers, representing 70TB of footage, reported Motherboard.

Launched in 2016, Citizen began as Vigilante, an app that harvested emergency radio calls and documented where crime was happening in real time. Apple initially pulled it from the app store for allegedly encouraging vigilante activity, but it relaunched the following year. It now includes the ability for users to live stream incidents and report emerging crime events themselves.

The hacker, who posted the data on a dark website titled The Concerned Citizen's Citizen Hack, scraped it by analyzing how the website stores videos and finding the original files on an AWS S3 bucket. They used the same API as Citizen's app to retrieve the ID of the crime incident linked to the video file and downloaded the incident data in bulk. The videos in the S3 bucket reportedly included some tagged for removal by moderators but were still accessible via a direct link.

Citizen responded that all the scraped information was already publicly available on the company's website.

RELATED RESOURCE

Protecting your dispersed workforce

Cyber security in the new normal

FREE DOWNLOAD

The hacker's dark website also includes contact tracking data from Citizen, which operates its own COVID-19 contact tracking app called SafePass. In a major privacy stumble, the company reportedly exposed tracking data to the public by mistake, including self-reported symptoms and test results, linked to their Citizen usernames.

This month, Citizen was in the news after a live stream from the app with over a million views sparked a manhunt in California. The app showed the name and photo of a man believed to have started a wildfire, but he turned out to be innocent. In May, Motherboard discovered the company had been testing the idea of a private security force after vehicles branded with the Citizen logo were photographed in Los Angeles.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.