Real estate Android app leaks user passwords

The MyEstatePoint Property Search app leaked data on nearly half a million of its users, exposing their names and plain-text passwords, the Cybernews research team has found.

The all-in-one real estate app MyEstatePoint Property Search left a publicly accessible MongoDB server containing the sensitive details of its app users.

The app, developed by NJ Technologies, an India-based software developer, has over half a million downloads on the Google Play store and mainly serves the Indian market.

According to the team, the exposed server contained data on over 497,000 users, almost matching the number of times the app was downloaded.

We reached out to NJ Technologies for comment but have yet to receive a reply.

data sample
Sample of the leaked data.

The team discovered the publicly facing MongoDB server on November 6th and contacted the app’s developers but received no reply. However, the instance has been closed off since.

The exposed instance contained sensitive app users’ details, such as:

  • First and last names
  • Email addresses
  • Plain-text passwords
  • Mobile phone numbers
  • City
  • Business descriptors
  • Signup methods

“This comprehensive dataset poses severe risks as threat actors could exploit the exposed information for unauthorized access, identity theft, fraudulent activities, and potentially compromise the privacy and security of the affected individuals,” the team said.

Scammers can use email addresses and plain text passwords for various attacks. This includes phishing attacks and matching these passwords to other online accounts connected to the same email address or phone number.

Since many people reuse the same passwords for different accounts, cybercrooks theoretically could escalate the type of data they can steal. Suppose app users employ the same passwords on their email accounts – the cybercriminals could leverage data exposed via MyEstatePoint Property Search to access them.