Real estate app leaking thousands of user records and sensitive private messages

Additional reporting by Bernard Meyer

The CyberNews research team uncovered an unsecured Amazon Simple Storage Service bucket of confidential user chat logs belonging to Tellus, a US-based software company.

Tellus is a software company based in Palo Alto, California, backed by “well-known investors” that aims to “reimagine Real Estate for the modern era.” The company’s app portfolio includes the Tellus App, a real estate loan, management and investing program. Its target users are American landlords and tenants who can receive and pay rent money, as well as keep all of their ownership and rent related data like rental listings, personal information, and correspondence between tenants and landlords in one place.

The data bucket in question contains a folder with 6,729 CSV files related to the Tellus app that include the app’s user records, chat logs, and transaction records left on a publicly accessible Amazon storage server.

How we found the Tellus app bucket

We discovered the exposed data by scanning through open Amazon Simple Storage Service (S3) buckets, which are online servers that can be used to store data for websites, apps, archives, IoT devices, and more.

Amazon S3 buckets are also known for being challenging to secure, leaving many servers unprotected – and often in the news. 

We identified Tellus as the owner of the database and notified the company about the leak. As of May 15, the data bucket security issue has been fixed by the Tellus security team and the data is no longer accessible. 

What’s in the data bucket?

The unsecured and unencrypted Amazon S3 bucket contains, among other things:

• 16,861 user records, including 3,194 verified property owner records and 1,294 verified tenant records stored in separate files
• Chat logs of private messages between thousands of Tellus platform users, including landlords, tenants, building managers, investors, and Tellus support staff between early 2018 and January 2020
• Tens of thousands of timestamped property owner transaction records
• Detailed tenant lead and payment records, including transaction metadata

All of this data is conveniently stored in spreadsheet format that can be easily opened, read, and downloaded by anyone who knows what to look for.

The exposed user records contain:

• Full names of users, including verified tenants and property owners
• Traceable user IDs used in transaction records and other logs
• Email addresses
• Phone numbers

Example of leaked user records:

The private messages in the chat logs and tenant lead files contain not only the texts of the conversations themselves, but also deeply sensitive content attached therein, including:

• Full names of the parties involved in the conversation
• Rent amounts and dates when they are due
• Tenants’ rented home addresses
• Case charges and court dates
• Tenant document scans
• Screenshots of sensitive images, including other conversations on social media

Example of leaked private messages:

Example of leaked tenant lead messages:

Example of leaked transaction records:

This means that, in the worst-case scenario, leaving the Tellus S3 bucket unsecured and unencrypted might have led to the continued exposure of data belonging to the entire Tellus user base over a period of up to two years, from 2018 to 2020.

Who had access?

The exposed data was hosted on an Amazon Simple Storage Service (S3) server and located in the US. It is currently unknown for how long the data was left unprotected, and we assume that anyone who knew what to look for could have accessed the data bucket without needing any kind of authentication during the unspecified exposure period.

With that said, it is unclear if any malicious actors have accessed the unsecured data bucket until it was closed by Tellus.

What’s the impact?

While numbers-wise this might not appear like a major leak, the impact on the nearly 17,000 Americans whose records were exposed could be significant if certain data was made publicly available.

Here’s how attackers might use the information found in the Tellus S3 bucket against the exposed users:

• Blackmailing both tenants and landlords by threatening to publicize the sensitive content found in their private messages and transaction logs
• Using the information found in private messages to mount targeted phishing attacks, hack online bank accounts, and engage in identity theft
• Spamming emails and phones
• Brute-forcing the passwords of the email addresses 
• Brute-forcing the passwords of the Tellus accounts and stealing the funds therein

While the exposed Tellus S3 bucket does not contain any easily accessible files specifically dedicated to storing truly sensitive data like credit card details or social security numbers, a determined attacker would find people’s photos, personal document scans, utility bill details, and even crime-related data simply by reading the private messages, which they then could use for a wide variety of malicious purposes.