An unprotected database belonging to Real Estate Wealth Network was left accessible from the internet for an unknown period, vpnMentor reports.
Founded in 1993 and based in New York, Real Estate Wealth Network is an online real estate education platform that provides subscribers with access to courses, training materials, and a community.
Discovered by cybersecurity researcher Jeremiah Fowler, the unprotected database was 1.16 terabytes in size, containing more than 1.5 billion records.
“The data was organized in various folders according to: property history, motivated sellers, bankruptcy, divorce, tax liens, foreclosure, home owner association (HOA) liens, inheritance, court judgments, obituary (death), vacant properties, and more,” the researcher says.
Within the folders, the researcher found details on property owners, investors, and sellers, as well as logging records spanning between April and October 2023 and containing names, addresses, phone numbers, email addresses, device information, and details on the files the user had accessed.
The exposed information, Fowler says, pertained to millions of individuals, including celebrities and politicians, such as “Kylie Jenner, Blake Shelton, Britney Spears, Floyd Mayweather, Dave Chappelle, Elon Musk & Associates LLC, Dolly Parton, Mark Wahlberg, Nancy Pelosi, and others”.
“I was able to see their street address, purchase price and date, mortgage company, mortgage loan amount, tax ID numbers, taxes owed, paid, or due, and other information,” Fowler says.
The researcher reported the finding to Real Estate Wealth Network, which immediately blocked public access to the database and confirmed ownership a few days later.
Fowler notes that he could not determine for how long the database was exposed to the internet and who might have accessed it, pointing out that only an internal forensic audit could reveal whether the information might have been accessed or downloaded.
The researcher points out that while property tax records in the US are considered semi-public, full public access to ownership information is typically not available.
“When searching the database, I found my own property, my name, address, purchase date, and other details. I then checked my local county tax and revenue office to see if such data was publicly available and found that my local county does not offer this information online,” the researcher notes.
The exposure of this data, Fowler notes, poses potential risk to the personal privacy, safety, and security of celebrities and politicians, but could also lead to information misuse and to property and mortgage fraud.
“It is unknown how long the data was publicly exposed or even if anyone else may have accessed it. I am not saying individuals in the Real Estate Wealth Network database are at an imminent risk, I am only providing a hypothetical example of how real estate or other forms of fraud could happen using exposed ownership records and tax information,” the researcher notes.
Related: Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment
Related: Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers
