StopICE App Breach and SMS Alert Abuse via Downstream Carrier API
StopICE, an app used to track U.S. Immigration and Customs Enforcement (ICE) activity, reported a security incident after users received SMS messages urging them to uninstall the app. StopICE administrators attributed the activity to a “personal server” allegedly associated with a U.S. Customs and Border Protection (CBP) agent and said the attacker abused a downstream carrier API to spam users rather than compromising StopICE’s core systems. Public claims on social media alleged that attackers accessed and shared user data with law enforcement, including names, credentials, phone numbers, and location data; StopICE disputed holding most of that data and said the only potentially impacted population was users who opted into a “location assist” feature that collected geolocation to provide neighborhood-level alerts.
Separate reporting amplified allegations that over 100,000 users’ information (including GPS coordinates) was accessed and transmitted to U.S. federal agencies (FBI, ICE, HSI), and criticized StopICE leadership for allegedly not notifying users promptly. The same reporting period also included claims of a related compromise affecting another ICE-tracking app, Eyes Up, where attackers alleged the backend database lacked authentication and that they accessed/altered stored videos; no confirmation from Eyes Up was cited. Overall, the incident highlights risks from third-party messaging/telecom integrations and the potential safety impact of exposing activist-related location data, even when only a subset of users enable location-based features.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
StopICE says hack was carried out by 'a CBP agent here in SoCal'
A Risky Business roundup reported that StopICE blamed the breach on 'a CBP agent here in SoCal.' The same item also referenced a claimed SMS intimidation campaign against the app, allegedly conducted through a downstream carrier API.
Stolen StopICE user data is reportedly sent to FBI, ICE, and HSI
According to the same reporting, the intruders sent the allegedly stolen StopICE dataset to U.S. federal agencies including the FBI, ICE, and Homeland Security Investigations. Social media posts and Reddit discussions were cited as indications that multiple agencies received the data.
StopICE reportedly suffers breach exposing data of 100,000+ users
Reporting cited by DataBreaches says the anti-ICE activist app and website StopICE was compromised, exposing names, usernames, passwords, phone numbers, and detailed GPS/location data for more than 100,000 users. The exact breach date is not stated in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Government Efforts to Identify Anti-ICE Activists and a StopICE Service Compromise
The US Department of Homeland Security has reportedly used **administrative subpoenas** to pressure tech companies to disclose identifying data about anonymous accounts and individuals critical of the Trump administration, including accounts sharing information about local **ICE immigration raids**. The reporting highlights that administrative subpoenas—unlike judicial subpoenas—do not require a judge’s approval and can seek metadata and account-identifying details (e.g., login times, devices, and associated email addresses), raising concerns about oversight and potential chilling effects on speech. Separately, the anti-ICE alert service **StopICE** reported its app and website were attacked, with users receiving texts claiming their information had been “compromised and sent to the authorities,” alongside disparaging messages about the developer. StopICE administrators and the developer disputed claims that sensitive personal data (names, addresses, GPS/location histories) was stolen, stating the service does not collect/store that information, while also noting the platform faces heavy hostile activity including frequent **DDoS** attempts; the service blamed a **US Customs and Border Protection (CBP)** agent for the attack, though that attribution was not independently confirmed in the reporting.
Mar 21, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
ICE Expands Use of Commercial and Technical Surveillance Data for Immigration Enforcement
U.S. Immigration and Customs Enforcement (**ICE**) is exploring expanded access to commercially available data from online advertising and technology brokers to support investigations, issuing a **Request for Information (RFI)** to understand the availability of personal, financial, location, and health data and how it could be provided to federal investigative entities. The effort is framed as market research rather than a direct procurement, and follows an earlier RFI seeking open-source intelligence and social media data to improve targeting for ICE’s Enforcement and Removal Operations. Privacy and civil liberties advocates warn that purchasing brokered data can function as a workaround to traditional warrant requirements, and point to proposed legislation such as the **Fourth Amendment Is Not For Sale Act** as a potential constraint on government acquisition of data that would otherwise require judicial authorization. Reporting on ICE’s broader deportation and enforcement posture describes the agency’s reliance on multiple surveillance technologies to identify and track individuals, including **cell-site simulators** (also known as *stingrays* / **IMSI catchers**) that impersonate cellular towers to locate and potentially identify nearby phones. The coverage also highlights legal controversy around enforcement tactics, including allegations of warrantless home entry that legal experts argue conflicts with **Fourth Amendment** protections. Separately, European policymakers are described as reassessing dependence on U.S. technology amid geopolitical tensions and sanctions risk, but that discussion is not specific to ICE’s surveillance or data-broker acquisition activity.
Mar 21, 2026