Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Top Android real estate app leaks half a million user passwords online

VPN Tunnel.

A mobile real estate app with roughly half a million users was apparently holding sensitive user data in an unprotected database, freely available for all who knew where to look. 

The data held there contained enough information for hackers to mount identity theft attacks, phishing, and other social engineering fraud. 

Researchers at Cybernews, who discovered the database in early November 2023, uncovering that the MyEstatePoint Property Search had a publicly accessible MongoDB app, containing users’ names and passwords in plain text. Furthermore, the database contained people’s email addresses, mobile phones, cities, business descriptors, and signup methods.

Recycling passwords

“This comprehensive dataset poses severe risks as threat actors could exploit the exposed information for unauthorized access, identity theft, fraudulent activities, and potentially compromise the privacy and security of the affected individuals,” the team said. 

The app was developed by an Indian-based software developer called NJ Technologies. Upon discovery, the researchers reached out to the team, but got no feedback - although the database was subsequently locked down.

Most of the users are Indian, the researchers further added. While locking the database is a welcome step, there are still risks involved. First, we don’t know if any threat actors accessed the database beforehand, and if they did - what did they do with the information found there? It is common knowledge that many people often use the same username/password combination on multiple services, for convenience. In that case, threat actors could use the information obtained via MyEstatePoint Property Search to compromise other services, too. 

By automating the process in a brute-force attack, the threat actors could test the usernames and passwords across a myriad of services quickly and efficiently. Users are generally advised not to use the same passwords for multiple services, and to make sure their login credentials are impossible to guess.

TechRadar Pro has contacted MyEstatePoint for comment.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.