P3 Global Intel claims that it has “quickly become the new standard in tip management for Crime Stoppers programs, [Law Enforcement Agencies], and government agencies helping to solve and prevent crimes around the world.”
Its software does what it says on the tin: It accepts tips from the general public and then manages conversations between law enforcement and the tipper. Many of these tips are, by their very nature, extremely sensitive, and disclosure of the tip could imperil people’s lives. P3 promises on its websites that “your anonymity is protected at all times.”
But earlier this month, hackers calling themselves the, err, “Internet Yiff Machine” released 93GB of data that they claim was pilfered from P3’s tip-taking system.
(“Yiff” is, in the words of a Wikipedia article on the subject that I would NOT CLICK ON AT WORK due to its drawing of a cheetah with human genitalia, “a slang term used in the furry fandom to refer to pornographic content of anthropomorphic animal characters.”)
The data was sent to Straight Arrow News and to the Distributed Denial of Secrets (DDoS) leak archive. Given its sensitivity, DDoS is not releasing the data to the public, but it will make it available to “established journalists and researchers.”
In its write-up on the leak, Straight Arrow News noted that the archive “contains extensive personal data on people accused by tipsters: names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers and criminal histories.” It also includes replies from investigators.
The software certainly doesn’t look very sophisticated; the Web version (there’s also an app) is a basic form with a file upload box and lots and lots of text fields, including “Gang Activity,” “Anyone Else Abusing Victim,” “Scars, Marks, Tattoos, Piercings,” “Where exactly is the weapon located?” and “How are drugs sold?”
I used P3’s own site to find the tips page for my local Philly “fusion center,” clicked “continue,” and was immediately sent to the “Greater Kansas City Crime Stoppers TIPS Hotline” instead. Not confidence-inspiring.
In its release note, Internet Yiff Machine says the data contains 8.3 million tips and that P3 lacked numerous security features, not even rate-limiting requests as hackers allegedly exfiltrated the entire database. “No joke, I sent over 8 million requests pulling all their data and didn’t encounter any issues whatsoever,” says the note.
The group expressed an anti-police ideology, saying that “EVERY COP PLAYS A ROLE IN FOLLOWING THE ORDER OF BILLIONAIRES, POLITICIANS, AND CORPORATIONS” and that “we are made of copper wire, motherboards, fur, and homosexuality. Fight the Fascists. Hack the police, the government, corporations and billionaires.”
Who knows what any of that means these days; the whole thing could well be some nation-state hack just using Internet-speak as cover for the real goal of stirring up division. Data does not appear to have been released publicly, though, so this really might be an old-school hacktivist attack.
Is the data leak legitimate? Navigate360, which owns P3, would not confirm that a breach had actually taken place, telling Straight Arrow News only that a digital forensics company has been hired to investigate. The company did not respond to my requests for an update now that a week has passed since the initial report.
Some agencies are already treating this like a real hack, however. Police in the city of Portland, Oregon, announced on March 19 that, “out of an abundance of caution, [we are] encouraging community members to temporarily refrain from submitting tips through the Crime Stoppers platform.”
Education Week even covered the story, since more than 35,000 schools use P3’s service—and thus the leaked data could be stuffed with information on suicide threats, bullying, and drugs. (The three top kinds of school tips, according to P3.)
