A hacker using the name "Internet Yiff Machine" claims to have breached P3 Global Intel (a law enforcement tip intelligence platform operated by Navigate360, a US safety and school security company) and stolen 93 gigabytes of data containing more than 8 million confidential tips submitted by members of the public to police departments, federal agencies, and school safety hotlines. Navigate360 confirmed it is investigating a potential network incident but declined to confirm the breach's scope. Straight Arrow News, which first reported the incident, independently corroborated the data's authenticity by contacting tipsters whose information appeared in the leaked material. Distributed Denial of Secrets received a copy of the data and stated it would make it available to established journalists and researchers. The FBI declined to comment.

What Happened

On March 18, 2026, "Internet Yiff Machine" published a statement claiming they had compromised P3 Global Intel (described on Navigate360's website as the "leading provider of innovative tips and leads solutions" for law enforcement, federal agencies, the military, and school safety initiatives) and exfiltrated 93GB of data containing over 8 million confidential tips.

The hacker accessed the system by taking over a P3 customer account through social engineering, then exploited a platform vulnerability to access and extract the broader tip database. The hacker's public statement included an explicit anti-law enforcement message warning the public not to submit tips to police; suggesting ideological motivation alongside or instead of financial motivation. No ransom demand has been reported.

Navigate360 issued a cautious statement acknowledging it was attempting to determine "whether we have experienced an incident involving our computer network and, if so, the extensiveness of the incident and the information involved"; the kind of hedged non-confirmation that typically precedes a full acknowledgment. The company hired a third-party investigator and declined further comment.

Straight Arrow News verified the data's authenticity by independently contacting individuals whose tip details appeared in the dataset; confirming this is not fabricated or synthetic data. Distributed Denial of Secrets, which archives material from hacks and leaks for journalist access, confirmed it received the dataset and would provide access to vetted media and researchers.

The FBI declined to comment. The scale of law enforcement agencies and school districts affected by the breach has not been publicly enumerated.

What Was Taken

93 gigabytes of data, claimed 8+ million confidential tips

P3 Global Intel aggregates tips submitted through law enforcement hotlines, anonymous tip systems, school safety reporting platforms, and public-facing law enforcement contact portals. The data held by P3 is not generic contact form submissions; it is specifically curated threat intelligence submitted by citizens with the explicit expectation of confidentiality and law enforcement use.

Likely data categories within the tip dataset: - Tipster identity information: names, phone numbers, email addresses, and potentially physical addresses of individuals who submitted tips - Tip content: the actual information submitted: alleged criminal activity, named suspects, described incidents, locations - School safety reports: tips submitted through school safety platforms including reports of bullying, threats, mental health concerns, and weapons - Law enforcement agency metadata: which agencies received which tips, timestamp data, case reference numbers - Federal agency submissions: tips directed to federal law enforcement and military safety channels

The most sensitive element is the combination of tipster identity plus tip content. Anonymous tiplines exist precisely because individuals who report criminal activity, gang violence, domestic abuse, or school threats face potential retaliation if identified. The confidentiality of the tipline is the precondition for participation. That confidentiality is now destroyed for 8 million submissions.

The school safety component is independently alarming; students, parents, and teachers who reported credible threats to school safety reporting systems had their identities and reports exposed.

Why It Matters

This is a direct threat to human safety, not just data privacy. The difference between this breach and a standard PII data breach is that the compromised data identifies people who provided information about criminal activity to law enforcement. Tipsters who reported gang members, domestic abusers, drug operations, or violent individuals are now potentially identifiable to the very people they reported. Retaliation against witnesses and informants is documented and lethal. This breach has real-world physical safety consequences for real people; not in the abstract, but in specific cases where named suspects can now identify who reported them.

The anti-cooperation chilling effect may outlast the breach. The hacker's explicit message, "Don't do the dirty work for the pigs", telegraphs the intended secondary effect: eroding public trust in anonymous tip systems. If the public believes that tip submissions are not actually confidential, future cooperation with law enforcement hotlines will decline. School safety platforms in particular depend on students' willingness to report threats; a trust that is difficult to rebuild once broken.

School safety data is in the dataset. Navigate360 operates school safety platforms including "P3" school tip systems used by school districts across the US. Educators, school counselors, parents, and students who submitted reports about school threats, bullying, or mental health crises through these platforms are in the dataset. The exposure of student-related safety reporting carries additional legal implications under FERPA and other student data protection statutes.

Navigate360's customer base is the law enforcement and school safety sector. This is not a consumer breach; the customers whose accounts were exploited are law enforcement agencies and school districts. The compromised data represents the aggregated tip flow of every P3 customer, potentially spanning hundreds of agencies and districts nationwide. The blast radius is proportional to P3's market penetration, not just the initial access point.

Distributed Denial of Secrets distribution amplifies reach. DDoSecrets making the dataset available to "established journalists and researchers" means the data will be analyzed, reported on, and potentially published in ways that Navigate360 and law enforcement cannot control. Tipsters will be identified; some by name in news stories, some by context that narrows identity even without direct naming.

The Attack Technique

The hacker's own account is the most detailed attribution available: account takeover via social engineering, followed by vulnerability exploitation to access the broader database.

Step 1: Social engineering to take over a P3 customer account. The initial access was not a technical exploit against Navigate360's perimeter; it was a social engineering attack targeting a P3 customer (a law enforcement agency or school district). The hacker convinced someone at that customer organization to provide access, reset credentials, or otherwise facilitate account takeover. This is the same initial access pattern documented in ShinyHunters' recent campaigns (vishing, credential phishing) and Scattered Spider's 2023-2024 telecom/hospitality campaigns.

Step 2: Vulnerability exploitation to pivot from the customer account to the broader database. Once inside the P3 platform as a legitimate customer, the hacker identified and exploited a platform-level vulnerability (likely a privilege escalation, insecure direct object reference (IDOR), or broken access control) that allowed access to other customers' data or the global tip database beyond what that customer account should have been able to see. This is an authorization failure at the application level: a customer account should only see their own tips, not 8 million tips from other customers.

The combination is a two-stage attack: social engineering for initial access, application vulnerability for privilege escalation. Neither stage required penetrating Navigate360's network perimeter in the traditional sense; the attacker entered through a legitimate customer account and exploited the platform's own logic flaws to expand access.

What Organizations Should Do

  1. Navigate360 customers (law enforcement agencies, school districts): notify tipsters immediately. Every agency or school district using P3 Global Intel should assume all tips submitted through the platform are compromised. Issue immediate notifications to any tipster you can identify through your own records. For anonymous tips where you do not have direct contact information, issue a public advisory through your communications channels warning that P3 platform tips may have been exposed and that individuals who submitted tips about serious criminal activity should contact the agency directly to assess their personal safety situation.

  2. Law enforcement agencies: assess and activate witness protection protocols for at-risk tipsters. For tips in your dataset that identified informants or witnesses reporting on violent criminal organizations, gang activity, or domestic violence; take proactive steps to contact those individuals and assess whether they face retaliation risk. Do not wait for a retaliation incident to occur. Work with your threat assessment and witness protection resources immediately.

  3. Platform providers holding sensitive third-party data: implement rigorous authorization controls between customer accounts. The fundamental vulnerability here, a customer account that can access other customers' data, is a broken access control failure. Every SaaS platform that aggregates sensitive data from multiple customers must enforce strict tenant isolation. Conduct an immediate audit: can a customer account in your system access data belonging to other customers through any API endpoint, IDOR, or parameter manipulation? This is a OWASP Top 10 issue that should be tested in every security assessment.

  4. Require MFA for all platform accounts holding law enforcement or government data. Social engineering account takeover is the documented initial access method here. A customer account that can be taken over through social engineering, presumably because MFA was not required or could be bypassed, should not have existed. All accounts with access to any platform holding law enforcement, government, or school safety data must require phishing-resistant MFA. No exceptions.

  5. Schools and school districts: review your school safety reporting platform contracts for breach notification obligations and data retention terms. Many school districts using third-party school safety platforms have not reviewed the vendor's breach notification procedures or data retention policies. After this incident, every district using a third-party safety reporting platform should: request a copy of the vendor's security assessment, confirm breach notification timeline commitments, and understand exactly what data the vendor retains and for how long. Under FERPA, schools have independent obligations regarding student data breaches.

  6. Individuals who submitted tips through any Navigate360 / P3 platform: assume your identity and submission are exposed. If you submitted a tip through a P3-powered tipline (including school safety apps, crime tip apps, or law enforcement anonymous tip portals) your submission and potentially your identity are in the compromised dataset. Be alert to unexpected contact from individuals who should not know you submitted a tip. Report any threatening or suspicious contact to law enforcement immediately. If you submitted a tip about serious organized crime or gang activity, consider contacting the relevant agency directly to discuss your safety.

Sources