• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » Real estate app leaking thousands of user records and sensitive private messages

Real estate app leaking thousands of user records and sensitive private messages

by Edvardas Mikalauskas
27 May 2020
in Security
0
real estate application on smartphone
101
SHARES

Additional reporting by Bernard Meyer

The CyberNews research team uncovered an unsecured Amazon Simple Storage Service bucket of confidential user chat logs belonging to Tellus, a US-based software company.

Tellus is a software company based in Palo Alto, California, backed by “well-known investors” that aims to “reimagine Real Estate for the modern era.” The company’s app portfolio includes the Tellus App, a real estate loan, management and investing program. Its target users are American landlords and tenants who can receive and pay rent money, as well as keep all of their ownership and rent related data like rental listings, personal information, and correspondence between tenants and landlords in one place.

The data bucket in question contains a folder with 6,729 CSV files related to the Tellus app that include the app’s user records, chat logs, and transaction records left on a publicly accessible Amazon storage server.

How we found the Tellus app bucket

We discovered the exposed data by scanning through open Amazon Simple Storage Service (S3) buckets, which are online servers that can be used to store data for websites, apps, archives, IoT devices, and more.

Amazon S3 buckets are also known for being challenging to secure, leaving many servers unprotected – and often in the news. 

We identified Tellus as the owner of the database and notified the company about the leak. As of May 15, the data bucket security issue has been fixed by the Tellus security team and the data is no longer accessible. 

What’s in the data bucket?

The unsecured and unencrypted Amazon S3 bucket contains, among other things:

  • 16,861 user records, including 3,194 verified property owner records and 1,294 verified tenant records stored in separate files
  • Chat logs of private messages between thousands of Tellus platform users, including landlords, tenants, building managers, investors, and Tellus support staff between early 2018 and January 2020
  • Tens of thousands of timestamped property owner transaction records
  • Detailed tenant lead and payment records, including transaction metadata

All of this data is conveniently stored in spreadsheet format that can be easily opened, read, and downloaded by anyone who knows what to look for.

The exposed user records contain:

  • Full names of users, including verified tenants and property owners
  • Traceable user IDs used in transaction records and other logs
  • Email addresses
  • Phone numbers

Example of leaked user records:

Example of leaked user records

The private messages in the chat logs and tenant lead files contain not only the texts of the conversations themselves, but also deeply sensitive content attached therein, including:

  • Full names of the parties involved in the conversation
  • Rent amounts and dates when they are due
  • Tenants’ rented home addresses
  • Case charges and court dates
  • Tenant document scans
  • Screenshots of sensitive images, including other conversations on social media

Example of leaked private messages:

Example of leaked private messages

Example of leaked tenant lead messages:

Example of leaked tenant lead messages

Example of leaked transaction records:

Example of leaked transaction records

This means that, in the worst-case scenario, leaving the Tellus S3 bucket unsecured and unencrypted might have led to the continued exposure of data belonging to the entire Tellus user base over a period of up to two years, from 2018 to 2020.

Who had access?

The exposed data was hosted on an Amazon Simple Storage Service (S3) server and located in the US. It is currently unknown for how long the data was left unprotected, and we assume that anyone who knew what to look for could have accessed the data bucket without needing any kind of authentication during the unspecified exposure period.

With that said, it is unclear if any malicious actors have accessed the unsecured data bucket until it was closed by Tellus.

What’s the impact?

While numbers-wise this might not appear like a major leak, the impact on the nearly 17,000 Americans whose records were exposed could be significant if certain data was made publicly available.

Here’s how attackers might use the information found in the Tellus S3 bucket against the exposed users:

  • Blackmailing both tenants and landlords by threatening to publicize the sensitive content found in their private messages and transaction logs
  • Using the information found in private messages to mount targeted phishing attacks, hack online bank accounts, and engage in identity theft
  • Spamming emails and phones
  • Brute-forcing the passwords of the email addresses 
  • Brute-forcing the passwords of the Tellus accounts and stealing the funds therein

While the exposed Tellus S3 bucket does not contain any easily accessible files specifically dedicated to storing truly sensitive data like credit card details or social security numbers, a determined attacker would find people’s photos, personal document scans, utility bill details, and even crime-related data simply by reading the private messages, which they then could use for a wide variety of malicious purposes.

Share101TweetShareShare

Related Posts

Covid-19 vaccine

Covid vaccines are now an excuse to launch phishing attacks

22 January 2021
MyFreeCams data leaked on hacker forum

MyFreeCams hack: 2 million user records stolen from top adult streaming site and sold on hacker forum

21 January 2021
Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Next Post
europe map and GDPR sign

Why GDPR must evolve and adapt to the changes ahead

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83031 shares
    Share 83021 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Facebook is tracking you: learn how to delete all Facebook data

    56 shares
    Share 56 Tweet 0
  • How to find what Google knows about me and get back my privacy?

    0 shares
    Share 0 Tweet 0
  • Most common passwords: latest 2021 statistics

    381 shares
    Share 381 Tweet 0
Elon Musk

Elon Musk to offer $100 million prize for ‘best’ carbon capture tech

22 January 2021
Is there life on Mars?

Is there life on Mars?

22 January 2021
Covid-19 vaccine

Covid vaccines are now an excuse to launch phishing attacks

22 January 2021
Alphabet shutting Loon, which used balloon alternative to cell towers

Alphabet shutting Loon, which used balloon alternative to cell towers

22 January 2021
what is wireguard

WireGuard protocol: everything you need to know

22 January 2021
Parler loses bid to require Amazon to restore service

Parler loses bid to require Amazon to restore service

22 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!