Millions Trusted Crime Stoppers With Their Safety, and the Platform Was Quietly Logging Them

"Anonymity" is one of those words that can mean anything depending on who's using it. A platform can plaster it across its homepage, repeat it in sales materials, and write it into its terms of service without actually building a single technical commitment to back it up. While, in theory, the word should carry a lot of weight, it really is free, and the architecture is optional.

Hackers calling themselves "THE INTERNET YIFF MACHINE" have breached P3 Global Intel, the Texas-based company powering Crime Stoppers tip lines for thousands of law enforcement agencies, schools, and federal departments across the United States. The millions of people who trusted the platform with sensitive, sometimes life-threatening information are now finding out what "anonymous" actually meant in practice.

The stolen cache contains more than 8.3 million records spanning February 1987 to November 2025, including tips, user account details, and customer support requests. DDoSecrets co-founder Emma Best has named it BlueLeaks 2.0, placing it in the same lineage as the exposés that revealed COINTELPRO and the documented failures of Fusion Centers.

The Feature They Forgot to Mention

P3's sales material promises that "each tipster's identity will remain anonymous at all times." What the sales material does not mention is a feature called "Session Information Disclosure," an opt-in tool that allows P3's law enforcement clients to formally request the IP addresses and session data of anyone who submitted a tip. The data is stored for up to 90 days. It is available upon request.

The hackers exposed an internal page detailing this feature, marked confidential. There are no public guardrails on how clients can use it. A police officer reported for misconduct through an anonymous tip could, in principle, submit a formal request and obtain the identity of whoever reported them, and that tipster would have no idea it happened because they were told their anonymity was guaranteed.

A de-anonymization tool sold as an anonymity platform, with no public guardrails, is the entire story. And when it comes to such sensitive matters, it’s nothing short of a disaster.

What the Breach Actually Exposed

The 8.3 million stolen records contain names, dates of birth, home addresses, phone numbers, Social Security numbers, license plate numbers, and criminal histories, mostly belonging to people accused by tipsters rather than the tipsters themselves. But personal information from tipsters who shared it also appears throughout the data.

Four federal departments, Defense, Homeland Security, Justice, and the Interior, paid P3's parent company, Navigate360, nearly $1.3 million between 2020 and 2025. User accounts for ICE, the Secret Service, the IRS, and the Department of Agriculture appear in the breach. The military is described as the largest federal client.

The pattern repeats across all 8.3 million records. A California resident who tipped off police about a Sinaloa cartel family explicitly begged for secrecy, saying that if they had found out it was a tip, they would know where it came from. An Army enlistee who reported a sexual assault by her recruiter was told she'd have to identify herself to be taken seriously. A seventh-grade bullying victim had his full name preserved across his school safety file. And on it goes, for 8.3 million entries.

More than 30,000 schools fed data into this system, alongside thousands of law enforcement agencies. Every one of those institutions passed along the same promise P3 made to everyone, that their identity was protected.

DDoSecrets has long warned about fusion centers and privatizing these systems, specifically the endless retention of data, largely unregulated information sharing, and the failures to protect the identities of the people these platforms claim to serve. Well, now we have some firsthand proof that they were right.

The 20-Year Clean Record That Wasn't

Navigate360 had published a statement asserting its tools had "never been breached or compromised in any manner over the past 20 years." The hackers cited this line directly in the note accompanying the data dump. The company did not respond to multiple calls and emails from Straight Arrow News. Its public security page states it "always complies with various laws and frameworks."

The more urgent concern, as Best flags, is what happens when financially motivated or state-backed hackers get there next, because this breach shows exactly what is sitting in P3's servers and exactly how sensitive it is. The tipsters who made the reports did so believing the platform's guarantee. Except that guarantee was marketing copy sitting on top of an unencrypted database, and any actor with the right motivation now knows what's inside.

DDoSecrets has long warned about fusion centers and privatizing these systems, specifically the endless retention of data, largely unregulated information sharing, and the failures to protect the identities of the people these platforms claim to serve. Well, now we have some firsthand proof that they were right.