A mobile real estate app with roughly half a million users was apparently holding sensitive user data in an unprotected database, freely available for all who knew where to look.
The data held there contained enough information for hackers to mount identity theft attacks, phishing, and other social engineering fraud.
Researchers at Cybernews, who discovered the database in early November 2023, uncovering that the MyEstatePoint Property Search had a publicly accessible MongoDB app, containing users’ names and passwords in plain text. Furthermore, the database contained people’s email addresses, mobile phones, cities, business descriptors, and signup methods.
Recycling passwords
“This comprehensive dataset poses severe risks as threat actors could exploit the exposed information for unauthorized access, identity theft, fraudulent activities, and potentially compromise the privacy and security of the affected individuals,” the team said.
The app was developed by an Indianbased software developer called NJ Technologies. Upon discovery, the researchers reached out to the team, but got no feedback although the database was subsequently locked down.
Most of the users are Indian, the researchers further added. While locking the database is a welcome step, there are still risks involved. First, we don’t know if any threat actors accessed the database beforehand, and if they did what did they do with the information found there? It is common knowledge that many people often use the same username/password combination on multiple services, for convenience. In that case, threat actors could use the information obtained via MyEstatePoint Property Search to compromise other services, too.
By automating the process in a bruteforce attack, the threat actors could test the usernames and passwords across a myriad of services quickly and efficiently. Users are generally advised not to use the same passwords for multiple services, and to make sure their login credentials are impossible to guess.