A MetaCity API Misconfiguration Exposed Every User's Real-Time 'Behavioral Risk Score' for 4 Hours — The Score Determines Which Districts Users Are Algorithmically Steered Away From

Between 2:00 AM and 6:11 AM EST, a misconfiguration in MetaCity's internal analytics API exposed a data field called BRS — Behavioral Risk Score — in the platform's public user profile response payload. The BRS is a real-time score between 0 and 100 computed by MetaCity's behavioral AI from a user's movement patterns, interaction history, content engagement, and flagged incident record. The score is used to algorithmically reduce the frequency with which certain districts appear in that user's navigation recommendations and event notifications. Users with high BRS scores are, without their knowledge, being quietly steered away from specific parts of the platform. For four hours this morning, every user could see their own score — and everyone else's — simply by querying any public profile.

MetaCity's navigation recommendation system — the algorithm that determines which districts, events, and locations appear in a user's suggested destinations panel — is one of the platform's most used features. Most users experience it as a helpful service: the platform learns what you enjoy and shows you more of it. The Behavioral Risk Score is the system that operates behind that helpful surface to make sure you never see certain things. The BRS is not an engagement optimization signal. It is a risk management signal. It is computed from the signals that MetaCity's behavioral AI associates with users who are likely to cause moderation problems in certain types of spaces — high-density social venues, contested district boundaries, platform events with known history of disruption. Users whose behavioral history produces a high BRS are quietly moved away from those spaces in their navigation suggestions, not because they have done anything wrong, but because the AI considers them likely to. For four hours this morning, this system was visible to anyone who looked.

The data exposure occurred because a developer working on the platform's user profile API included the BRS field in the profile response object during a debugging session and deployed the change to production without removing it. The field was labeled brs in the JSON response payload. For users familiar with the platform's data architecture, the label was immediately legible. The exposure was discovered and reported by a community developer at 2:14 AM, fourteen minutes after the deployment. MetaCity's security response team was notified and began working on the fix at approximately 2:45 AM. The field was removed from the public response at 6:11 AM — three hours and 26 minutes after MetaCity was notified. In that window, an estimated 600,000 BRS lookups were performed by users and automated tools querying the endpoint.

You've Been Scored. The Score Has Been Steering You. You Weren't Supposed to Know.

The scores that users found when they queried their own profiles ranged from 2 to 97. The distribution was not what many expected. Several prominent community figures with no moderation history found BRS scores in the 40s and 50s — moderate-risk classifications that would be meaningfully affecting their district navigation suggestions without their knowledge. One creator who has never received a moderation flag found a BRS of 67. She has since been examining her navigation history and believes she can identify districts that have been appearing less frequently in her suggestions over the past several months — districts where her peer community gathers and where she would have expected to see regular event recommendations. She did not notice their absence until she had a number that made her look. A BRS of 0 was found on accounts that had been on the platform for less than 30 days. The only accounts with BRS scores above 90 that were identified during the exposure window were accounts that had been subject to formal moderation actions.

MetaCity's statement at 6:30 AM described the incident as an 'inadvertent data exposure of an internal quality signal' and stated that the signal had been 'removed from public-facing systems.' The statement did not name the BRS. It did not describe what the signal measures or what it controls. It did not confirm that the system exists as anything beyond an anonymous 'internal quality signal.' This is the pattern that has characterized MetaCity's response to every AI system disclosure in the past three months: confirm the exposure, decline to name the system, and describe it in language generic enough that the description is technically accurate but informationally empty. The BRS is not a quality signal. It is a behavioral surveillance score that determines where you are algorithmically allowed to go on a platform you are paying to use. The word 'quality' does not appear anywhere in the 34-page governance document that describes it.