A mobile real estate app with about half a million users apparently stored sensitive user data in an unprotected database, freely available to anyone who knew where to look.
The data stored there contained enough information that hackers could use to mount identity theft, phishing and other social engineering fraud attacks.
Researchers at Cyber news, which discovered the database in early November 2023 and discovered that MyEstatePoint Property Search had a publicly accessible MongoDB app, containing users' names and passwords in plain text. Additionally, the database included people's email addresses, cell phones, cities, business descriptions, and sign-up methods.
Recycle passwords
“This extensive dataset poses serious risks as threat actors could misuse the exposed information for unauthorized access, identity theft and fraudulent activities and potentially compromise the privacy and security of affected individuals,” the team said.
The app is developed by an India-based software developer called NJ Technologies. After discovery, the researchers contacted the team but received no feedback – although the database was subsequently locked.
Most users are Indian, the researchers added. While locking the database is a welcome step, there are still risks involved. First, we do not know whether threat actors gained access to the database in advance, and if so, what did they do with the information found there? It is common knowledge that many people often use the same username/password combination on multiple services for convenience. In that case, threat actors could use the information obtained through MyEstatePoint Property Search to compromise other services as well.
By automating the process in a brute-force attack, threat actors were able to quickly and efficiently test the usernames and passwords of a large number of services. Users are generally advised not to use the same passwords for multiple services and to ensure that their login details are impossible to guess.
Ny Breaking has contacted MyEstatePoint for comment.