Massive 170K database filled to the brim with plaintext PII exposed

Last updated: 20 June 2025
Hackers, malware
Image by Cybernews.

An unencrypted and non-password-protected database containing over 170,000 records potentially belonging to a real estate management and investment company was left open for anyone to exploit.

Cybersecurity researcher Jeremiah Fowler stumbled upon a database filled with personally identifiable information (PII) that he presumed belonged to a real estate management company.

The database was a whopping 116.24 gigabytes and contained roughly 170,000 records.

ADVERTISEMENT

The exposed data includes:

  • Names
  • Dates of birth
  • Social Security numbers
  • Physical addresses
  • Email addresses
  • Employment-related documents – reprimands, firing, or resignations
  • Internal documents – management, security, incident reports, police reports, maintenance, reimbursements, and more.

From the sample of data that Fowler could get his hands on, he saw spreadsheets detailing motel employees’ PII, all in plain text.

This is particularly troubling since hackers can easily read this personal information, as it's not encrypted, and use it to commit identity theft, fraud, or orchestrate sophisticated phishing attacks.

Niamh Ancell BW Marcus Walsh profile jurgita justinasv
Don't miss our latest stories on Google News
Google News Follow us

“The database also showed property inspection reports, notices to vacate (evictions), employee terminations and demotion letters, petty cash statements, receipts, and expense reports (some of which contain the card type used to pay and its last four digits),” Fowler wrote on Website Planet.

Fowler expressed that this was one of the more interesting databases he’s come across in recent years, as the trove of information contained various documents, including reports of arrests, documents pertaining to medical issues, and images of damaged property.

Black Hat DEFCON
Image by Cybernews
ADVERTISEMENT

The records seemed to belong to a company based in California called Income Property Investments, which specializes in dealing with properties throughout the US.

While the records seemed to belong to this company, Fowler couldn’t tell whether the company or a third party managed the files.

A responsible disclosure notice was sent to Income Property Investments, and the database was restricted that same day.

Share
Post
Share
Share
Share
More from Cybernews
Saudi industrial services group breached, hackers claim
Estimating age with augmented cameras in tobacco shops is a no-go, CNIL says
Law enforcement authorities bust international Microsoft scam call center
JD Vance’s Disneyland vacation sparks outrage, mockery
Samsung may be turning jewelry into AI-driven devices
A simple radio hack can emergency stop any train in North America, researchers warn
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked