Hello Alfred app exposes user data


Hello Alfred, an in-home hospitality app, left a database accessible without password protection, exposing almost 170,000 records containing private user data.

Hello Alfred is a one-stop application allowing real estate developers and property managers to provide in-home services and maintenance to residents. It also enables landlords to collect rent in-app.

Residents using the platform get an app-based personal assistant service for their apartments. A designated Hello Alfred employee handles the residents' home-related inquiries, such as managing weekly shopping, in-home delivery, or picking up dry cleaning.

ADVERTISEMENT

On September 19th, researchers discovered that the platform exposed sensitive user data. The leaked information included:

  • First and last name
  • Email address
  • Phone number
  • Home address
  • Authentication tokens
  • Private notes
  • App signup details, such as dates, IPs, cookies, and user agents
  • Partial payment information for paid users – including the last four digits of credit card numbers, expiry month/year, and Stripe IDs

The owners of the app were informed about the leak and secured access almost immediately. Cybernews contacted the company for an official comment but received no reply at the time of writing.

Launched nine years ago, the New York-based platform has publicly raised $56.5 million in funding and operates in over 20 cities in the US. In 2018, business magazine Fast Company selected the company as one of the Top 50 Most Innovative Companies in the World.

Hello Alfred data leak
Source: Cybernews

Passwordless database

The cause of the data leak was a publicly accessible MongoDB, a document-orientated database program. According to Bob Diachenko, the CEO of SecurityDiscovery and who first identified the leak, at least three IP addresses of the same database were left passwordless and indexed by public search engines.

The exposure of sensitive data, including user names, contact information, authentication tokens, private notes, and partial payment information in a resident management software application raises significant concerns about user privacy and security.

ADVERTISEMENT
Hello Alfred data leak
Source: Cybernews

If the threat actors had taken advantage of the free access to Alfred’s user data, they could have potentially exploited it in various ways, including fraud, identity theft and impersonation. This makes the data breach a serious threat to both users and the application's integrity.

The data leak greatly increases the risk of spearphishing attacks, as attackers could leverage user contact details and partial payment information to craft targeted attack campaigns, leading to financial scams. The four last digits of the credit card could potentially trick a victim into revealing the remaining banking information.