ADVERTISEMENT

Real estate app leaking thousands of user records and sensitive private messages

The CyberNews research team uncovered an unsecured Amazon Simple Storage Service bucket of confidential user chat logs belonging to Tellus, a US-based software company.

real estate application on smartphone
Edvardas Mikalauskas
Edvardas Mikalauskas Senior Researcher
May 27, 2020 Updated: 28 September 2021 2 min read

How we found the Tellus app bucket

What’s in the data bucket?

  • 16,861 user records, including 3,194 verified property owner records and 1,294 verified tenant records stored in separate files
  • Chat logs of private messages between thousands of Tellus platform users, including landlords, tenants, building managers, investors, and Tellus support staff between early 2018 and January 2020
  • Tens of thousands of timestamped property owner transaction records
  • Detailed tenant lead and payment records, including transaction metadata
  • Full names of users, including verified tenants and property owners
  • Traceable user IDs used in transaction records and other logs
  • Email addresses
  • Phone numbers
Example of leaked user records
ADVERTISEMENT
  • Full names of the parties involved in the conversation
  • Rent amounts and dates when they are due
  • Tenants’ rented home addresses
  • Case charges and court dates
  • Tenant document scans
  • Screenshots of sensitive images, including other conversations on social media
Example of leaked private messages
Example of leaked tenant lead messages
Example of leaked transaction records

Who had access?

What’s the impact?

  • Blackmailing both tenants and landlords by threatening to publicize the sensitive content found in their private messages and transaction logs
  • Using the information found in private messages to mount targeted phishing attacks, hack online bank accounts, and engage in identity theft
  • Spamming emails and phones
  • Brute-forcing the passwords of the email addresses 
  • Brute-forcing the passwords of the Tellus accounts and stealing the funds therein
ADVERTISEMENT