Square Yards data leak: passports, financial data exposed

India’s largest real estate platform has exposed nearly 350M files, including customer and employee passports and financial documents.

On May 19th, Cybernews researchers stumbled upon a misconfigured Google Cloud Storage bucket with millions of files inside.

They managed to attribute it to Square Yards, an Indian platform that offers “an integrated consumer experience & covers the full real-estate journey.”

With 7,000+ employees, Square Yards is a large property technology (prop-tech) company, relying on data analytics and VR tools to help customers research, buy, sell, and manage real estate. It’s said to be India's largest integrated platform for real estate and mortgages.

The leak exposed over 350M files, including sensitive data of rental agreement parties, tenants, current company employees, and candidates. The misconfigured bucket included the following files:

  • Passports/IDs
  • Bank statements/payslips
  • Education history and university diplomas
  • Proof of employment
  • Filled in forms with banking information and personal details /KYC forms
  • Background screening
  • Recordings of client cold calls/WhatsApp chats
  • Candidates CV

The bucket has since been secured. However, even a brief exposure of sensitive data can have negative consequences since cybercriminals can discover open buckets in just a few seconds.

How does it affect me?

Real estate companies are of high interest to cybercriminals since they collect a wealth of data on property, investors, partners, lenders, and much more. With access to this information, criminals could launch sophisticated phishing campaigns or even deploy ransomware.

Since the bucket contained the personal information of clients and employees, it could lead to cases of identity theft.

Cybernews reached out to Square Yards to learn whether the affected parties were notified of the leak. However, we’ve yet to hear back from them.

If you’ve used the platform at any point or had any other type of partnership with the company, you should be wary of fraudulent emails and phone calls, as well as closely monitoring your financial statements.