Hacktivists have leaked millions of anonymous tips submitted by Crime Stoppers informants. A massive 91.53GB dataset, dubbed BlueLeaks 2.0, has been made available to journalists and researchers by transparency collective DDoSecrets, which says tipsters were never anonymous.
The public uses the P3 platform to share information with Crime Stoppers programs. It is a subsidiary of Navigate360, a private company that runs tip-reporting infrastructure for law enforcement fusion centers and tens of thousands of schools across the US and internationally.
The crime reporting services are marketed under several names, including Crimeline in Florida and P3 Tips.
Hacktivists claim that the company suffered a massive breach.
On Wednesday, Distributed Denial of Secrets (DDoSecrets), a nonprofit whistleblower site, released 91.53GB of data for researchers and journalists. The data allegedly contains “millions of submissions and tips about alleged crimes and terrorist acts made over several decades.”
“The data comes from the apps and infrastructure of P3, which is used by intelligence and law enforcement agencies across the United States and in several other countries, as well as tens of thousands of schools,” DDoSecrets claims on its website.
The leak was named “BlueLeaks 2.0,” after the landmark BlueLeaks hack from 2020, which exposed 269GB of internal US law enforcement data from over 200 agencies.
“We are currently working to determine whether we have experienced an incident involving our computer network and, if so, the extensiveness of the incident and the information involved. We have hired an independent third party to conduct a full forensic investigation to determine what has happened,” JP Guilbault, CEO of Navigate 360, told Cybernews.
“To this point, we have not confirmed that any sensitive information has been accessed or misused. The system in question continues to be fully operational.”
The company assures its highest priority is the privacy and security of the individuals and organizations it serves.
“We are determined to learn what happened here and depending on what we find, we will take appropriate action,” Guilbault added.
Is anonymity a lie?
The P3 platform is advertised as an anonymous way to share information with Crime Stoppers programs, law enforcement entities, schools, and large corporations worldwide.
“Your anonymity is protected at all times. In many cases, your information may be eligible for a reward offered by a local program,” the website reads.
If the claims about the leak are true, they shatter the illusion of anonymity.
“The dataset challenges some of the statements made by P3. While P3 says that the communications on the system are encrypted, the data was allegedly retrieved in plaintext,” DDoSecrets said.
“P3 also claims that the tip collection and messaging process is anonymous, but the data indicates that administrators are secretly given the ability to de-anonymize users.”
Emma Best, an American investigative journalist and whistleblower, a cofounder of DDoSecrets, released a statement claiming that BlueLeaks 2.0 provides “excruciating detail on the Orwellian Suspicious Activity Reports (SARs) and tip collection systems that seek to make everyone an informant.”
“For years, we’ve warned against fusion centers and privatizing these systems: the endless retention and largely unregulated information sharing by corporations, as well as the failures to actually protect the identities of both alleged victims and perpetrators,” Best said.
She warns that students at thousands of schools have a legitimate need to report safety concerns, but these “turnkey solutions,” feeding directly into Fusion Centers, instead put people at risk.
Fusion centers are intelligence-sharing collaborations between federal agencies and state and local police departments.
“We’re left with the task of safely handling the information while making it available to other journalists for study, and to worry about the likelihood of similar breaches committed by financially-motivated or state-backed hackers,” Best noted.
Who hacked P3?
DDoSecrets says they were provided with the data and attributes the breach to a group calling itself “INTERNET YIFF MACHINE.” This threat actor has no prior public record. Mikael Thalen, a tech reporter at Straight Arrow News, has also reportedly obtained the data.
According to a note left in the data by the threat actors, P3Tips is used by the US Air Force, ICE (Immigration and Customs Enforcement), Secret Service, Department of Justice, Army Counterintelligence, IRS Criminal Investigations, Homeland Security Investigations, State and county governments, and police.
DDoSecrets (Distributed Denial of Secrets) is a major and reputable source for leaks, sometimes called a successor to WikiLeaks. The nonprofit has published over 100 million leaked files from over 59 countries, including the original BlueLeaks.
Recently, it helped investigations on the white supremacist dating website WhiteDate, “Tinder for Nazis,” expose leaked data on backers of the UK Free Speech Union. The platform recently accidentally lost its original domain when it expired.
Extremely sensitive data
The Cybernews research team warns that a leak like this can be extremely sensitive.
“If anonymous tips can be traced back to individuals, via e.g., device metadata or other data available, this increases safety risks for informants,” it said.
“This leak could expose accusations that are not yet fully proven, which could cause harassment of potentially innocent people, and reputational harm in general.”
Our researchers worry that some tips likely involve students and minors, since these systems are widely used in schools.
“The data may reveal the workflows of tip systems, which can be exploited by malicious actors to potentially undermine investigations,” Cybernews researchers warned.
Updated on March 19th [09:34 a.m. GMT] with a statement from Navigate 360.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked