The Database Behind Every Camera on Your Street

In November 2025, more than 35 stolen law enforcement passwords for Flock Safety appeared on Russian cybercrime forums. Those weren't credentials to one camera on one street. They were credentials to a shared national surveillance network photographing over 20 billion vehicles per month. Any one of them, in the wrong hands, could have run queries across cameras in thousands of cities.

That's not a hypothetical. It's documented. Senator Ron Wyden and Representative Ro Khanna wrote to the FTC calling Flock's cybersecurity practices "negligent." Flock confirmed that roughly 3% of its law enforcement customers had not enabled multi-factor authentication.

This post is for IT leads, ops managers, and business owners who already have a Flock account, or who are being asked to sign up for one. The goal isn't to tell you whether Flock is good or bad. It's to help you understand exactly what kind of system you're dealing with, what can go wrong, and what questions you should be asking before you hand anyone at your organization a login.

It's a Database, Not a Camera

Flock Safety was founded in 2017 and has raised over $950 million in venture capital, reaching a valuation of $7.5 billion as of early 2025. The company claims its technology helps solve roughly 10% of U.S. crime. That's a striking claim, and it's driven by scale: Flock cameras now operate in more than 5,000 communities across 49 states, photographing over 20 billion vehicles per month.

The product looks like a camera. It's a solar-powered, pole-mounted device you might see at a neighborhood entrance or a strip mall parking lot. HOAs install them. Businesses install them. Police departments install them. But calling Flock a camera company is like calling Google a search box. The camera is just the input.

What Flock actually sells is access to FlockOS, its centralized cloud platform where all that data lands, gets processed, and becomes searchable. Customers don't just get their own footage. They buy into a subscription data service. Think of a filing cabinet versus a shared Google Drive. A filing cabinet holds your stuff. A shared Google Drive holds everyone's stuff, and anyone with a login can search across all of it.

Flock CEO Garrett Langley has been direct about this framing: the company "views the police department as our actual end-user." HOAs and businesses install the hardware; law enforcement runs the queries. The camera on your street corner isn't feeding a local DVR. It's feeding a national database.

Flock's own marketing states that it "does not maintain a centralized database of license plate reader data across customers." The Electronic Frontier Foundation found something different: a single query through Flock's shared law enforcement network can reach more than 83,000 cameras spanning nearly the entire country. That is, by any reasonable definition, a centralized database. The EFF's finding and Flock's claim are in direct tension, and it's worth understanding which one describes the system you're actually using.

Through Flock's National LPR Network (formerly branded TALON), law enforcement customers can search data captured by cameras in other cities and states. A police department in Georgia can query results from cameras in Texas. One search. One platform. The whole network. This is precisely what makes Flock powerful for legitimate crime-solving. It's also precisely what determines the blast radius when something goes wrong.

Security practitioners use "blast radius" to describe how much damage a single intrusion can cause. The more interconnected a system, the more damage one compromised credential can do. In March 2021, hackers breached Verkada, a cloud-based camera company, and gained access to approximately 150,000 cameras, including those inside Tesla factories, hospitals, schools, and prisons, using a single compromised admin credential. The same architecture that made Verkada easy to manage made it easy to exploit. Flock runs on fundamentally similar principles, at a much larger scale.

The Cameras Themselves Have Vulnerabilities

Most conversations about Flock's security focus on the cloud platform: who has access, what data is retained, whether the database can be breached. Those are the right questions. But in the fall of 2025, security researcher Jon Gaines published a white paper that shifted the conversation. Gaines disclosed the bulk of the vulnerabilities in September 2025; MITRE assigned the CVEs in October; the findings broke into mainstream coverage in November following a viral video exposé. The attack surface, it turns out, starts with the hardware on the pole.

Gaines documented 51 findings across Flock's device ecosystem, including its Falcon and Sparrow license plate cameras and its Raven gunshot detection microphones. Twenty-two of those findings were assigned CVEs by MITRE, with eight more pending. The vulnerabilities range from serious to critical.

The most alarming is CVE-2025-59403. Flock cameras include an administrative API running on port 8080 with no authentication required. One of its endpoints is /adb/enable, which activates Android Debug Bridge over TCP. Anyone who can reach that endpoint gets a root shell on the device, with no password.

Here's the attack chain against a device whose hotspot is already active. Connect to the hotspot using the default password, which is "security" and appears to be identical across devices. Hit the unauthenticated API endpoint. Get a shell. Gaines found over 900 Flock devices with their hotspot active and visible on Wigle.net, a public database of wireless networks. Against those devices, the attack requires only proximity, not physical contact.

If the hotspot is off, an attacker would need to press a physical button on the device to wake it. That's the nuance in Flock's "physical access required" response, and it's not entirely wrong. But Gaines's point is that hundreds of devices in the wild had their hotspots left active, likely from factory testing or configuration oversights, making the proximity-only attack viable at scale without touching anything.

Other findings compound the picture. CVE-2025-59409 documents development Wi-Fi credentials stored in cleartext in production LPR firmware. CVE-2025-47821 documents a hardcoded password in Gunshot Detection devices. CVE-2025-59407 documents a Java Keystore with a hardcoded password bundled in Flock's Android app, containing a private key. CVE-2025-59406 documents a cleartext Auth0 client secret hardcoded in the Android Pisco app. What isn't disputed is that the CVEs exist and are assigned.

For organizations managing Flock hardware on their property, this is a different category of question than "who has admin access to the portal." It's a question about whether the physical device on your building is itself an attack surface.

What's Actually in the Database

To understand why a Flock breach would matter, it helps to inventory what the system holds.

At the record level, each camera capture includes a license plate number, timestamp, GPS coordinates, and an image of the vehicle. Flock's AI adds a layer on top of that: a "vehicle fingerprint" that includes make, model, color, and physical identifiers like damage, bumper stickers, and roof racks. These attributes are all searchable. An attacker doesn't need a specific plate number. They can query for "blue Honda Accord with a bike rack, Atlanta, March."

Aggregated at scale, the database contains HOA membership patterns: when residents arrive and leave, which vehicles are regular visitors, which cars show up at odd hours. It contains law enforcement query logs, which plates were searched, by which officer, and when. It contains cross-agency sharing records from the National LPR Network. For customers using Flock's Raven product, it also contains audio data from street-level gunshot detection microphones.

Flock has also been expanding its product line. The ACLU noted in August 2025 that Flock is now selling full pan-tilt-zoom video surveillance cameras, not just license plate readers. That changes the data profile substantially. ALPR data tells you where a car was. A video camera tells you who was in it.

One note on data accuracy: a 2025 ACLU of Iowa report cited a study finding that 1 in 10 ALPR reads contains an error. That means the database doesn't just hold sensitive data. It holds a meaningful volume of incorrect attributions. In a breach scenario, those errors don't get corrected. They get published.

Too Many Keys

A breach isn't the only risk. Insider access is often the more immediate one.

Flock's access model is unusually wide by design. HOA board members, property managers, local police officers, neighboring departments via the National LPR Network, and Flock employees all have some level of access to the data. That's a long list. And there's no independent auditing requirement for who searches what, or why.

The California State Auditor's 2020 review of ALPR programs found that many law enforcement agencies had no documented usage policies, no audit controls, and inadequate data security. That was for agencies with legal obligations and public accountability. Flock's access extends to private HOA boards and property managers who have neither.

The insider threat isn't abstract. In late 2022, a Kechi, Kansas police officer was arrested on suspicion of using Flock Safety's ALPR database to stalk his estranged wife. He had access because his role gave him access. There were no controls in place to catch it until the behavior became undeniable. The EFF documented this case as a concrete example of how Flock's access architecture fails in practice.

The November 2025 Wyden letter added another dimension, documenting two separate access failures. In one case, DEA task force members used a local detective's shared Flock credentials to run narcotics-related queries they weren't authorized to run on their own. In a separate finding, Wyden raised concerns about Flock data being accessed by immigration enforcement agencies including ICE and DHS. These are distinct problems, but they share the same root cause: a platform where credential sharing goes undetected and cross-agency access has no meaningful controls.

If you manage software access for a team, the parallel is familiar. When 50 people have admin access to a SaaS platform and nobody is tracking who logs in or why, that's a structural failure. Not because every one of those people is a threat, but because the architecture makes it impossible to detect or contain the ones who are. Detailed activity logs and access audits exist precisely because trust alone isn't a security control.

The principle of least privilege, granting access only to what's needed and only for as long as it's needed, is foundational security hygiene. Flock's architecture applies the opposite principle at national scale.

The Promises Flock Makes, and What to Check

Flock has made some real commitments on privacy. The company says it retains plate data for 30 days by default, does not sell data to third parties, and does not use facial recognition. Relative to what some competitors offer, these are meaningful positions. But there are important distinctions between a promise and a verifiable control.

Here's how Flock's stated commitments hold up when you ask how each one is enforced:

Flock Promise	Verifiable?
30-day data retention	Self-reported default; Flock's own LPR Policy (updated Nov 2025) states this "may be increased or decreased on a case-by-case basis if a customer's law or policy requires a different schedule." Not universally enforced.
No facial recognition	Self-reported; no independent audit published.
Encryption	Disputed. Flock claims "end-to-end encryption," but Flock employees can access customer data, which means it is encryption in transit and at rest, not true end-to-end encryption by the technical definition.
No data sales to third parties	Self-reported; no public SOC 2 report or independent audit available as of this writing.
Customer-controlled access	Partially accurate. Customers manage their own user lists, but Flock employees retain platform-level access. The Wyden letter documented federal agencies using local credentials to run queries — suggesting the access model is not solely customer-controlled in practice.

The acquisition question matters too. Flock is backed by Andreessen Horowitz, Tiger Global, and Meritech Capital, among others. Investors eventually want liquidity. What happens to data retention policies when Flock is acquired? The 30-day retention commitment lives in Flock's current terms of service, not in a law, and not in your contract unless you specifically negotiated it.

In most states, there's also no mandatory breach notification law that applies to private ALPR companies. If Flock is breached, there may be no legal obligation to notify the cities, HOAs, or individuals whose data was exposed. That's a gap that applies to the platform category as a whole, not just Flock, but it's worth understanding before you sign.

What This Means for Your Organization

If your organization operates in any of the 5,000-plus communities where Flock is deployed, your employees' vehicles are probably already in the database. That's not something you opted into. It's a consequence of where your office is.

But if your organization has a Flock account, retail, property management, healthcare, logistics, then you're managing credentials that provide access to a national surveillance database. That changes the stakes on questions you should already be asking about any SaaS tool with access to sensitive data.

Start with a five-question internal audit:

1. Who has admin access to the Flock portal? Pull the full user list, not from memory.
2. Are those credentials in a password manager, or floating in a shared spreadsheet or email thread?
3. Is MFA enforced for every user? Given that stolen Flock credentials appeared on criminal forums in 2025, this is not optional. The Wyden letter makes clear that Flock was not requiring it.
4. What's your offboarding process when someone with Flock access leaves? Not the general offboarding checklist. The specific step for Flock.
5. When did you last review the full list of who has access? If the answer is "never" or "I'd have to ask someone," that's the answer.

If you're evaluating a Flock contract, consider asking:

1. Can the data retention period be contractually enforced, not just policy-stated?
2. Who at Flock has access to our camera data, and under what circumstances?
3. What happens to our data if Flock is acquired?
4. Is there a breach notification clause, and what's the required timeline?
5. Is MFA mandatory for all users on our account, or just recommended?
6. Are there audit logs of all queries run against our camera data?
7. Can cross-agency access through the National LPR Network be restricted for our account?
8. Has Flock completed a third-party penetration test in the last 12 months? Can we see the results?
9. How does Flock handle the hardware vulnerabilities documented in the GainSec CVEs published in late 2025?
10. What is the patch and firmware update process for cameras installed on our property?

More broadly, Flock is a useful prompt for a vendor access audit. Which third-party platforms hold sensitive data about your employees, customers, or operations? Who has credentials to those platforms? When did you last review it? Role-based access controls and periodic access reviews aren't just good security practice. They're the only realistic way to stay ahead of this category of risk as your vendor footprint grows.

The most dangerous credentials are often not the ones that feel dangerous. Not the bank login. The third-party SaaS tool that quietly accumulated sensitive data over two years and now has 30 people with admin access, no audit logs, and a vague offboarding checklist. Flock is a high-profile version of a problem that exists at every organization that uses cloud software.

Frequently Asked Questions

Does Flock delete data after 30 days?

30 days is Flock's stated default, but it's not a hard rule. Flock's own LPR Policy (updated November 2025) states that the retention period "may be increased or decreased on a case-by-case basis if a customer's law or policy requires a different schedule." If 30 days matters to you, negotiate it into your contract explicitly.

Can Flock employees access our camera data?

Yes. Flock describes its system as using encryption, but Flock employees retain platform-level access. This is encryption in transit and at rest, not true end-to-end encryption, which would prevent anyone other than the sender and receiver from accessing the data. The Wyden letter documented federal agencies using local credentials to run queries without authorization, which suggests the access architecture is broader than it may appear.

What happens to our data if Flock is acquired?

The 30-day retention policy and other commitments live in Flock's current terms of service, not in a law. A new owner could change the policy. If this is a concern, ask for it to be addressed in your contract before signing.

Which cities have removed Flock cameras?

As of early 2026, a growing number of cities have begun removing Flock cameras or paused new deployments, primarily in response to concerns about immigration enforcement and data sharing with federal agencies. Amazon Ring also cancelled its partnership with Flock in February 2026. The situation is evolving. NPR and The Guardian have been covering city-level decisions in detail.