Security is all too often focused on keeping hackers out and breaches at bay. But in the case of Remine, a real estate intelligence startup, it left its doors wide open for anyone to run rampant.
Remine is a little-known but major player in the real estate analytics and intelligence market. It works by collecting and mining vast amounts of real estate data — from public listings to privately obtained data from brokers and real estate agents from across the United States. The company, which last year raised $30 million in its Series A to help expand its real estate data and intelligence platform, claims it has data “on 150 million properties across all 50 states.”
But that data was only a few clicks away from being easily accessible, thanks to a misconfigured system.
The misconfiguration was found in Remine’s development environment, which although protected by a password, let anyone outside the company register an account to log in.
Thinking it was a secure space, Remine’s developers shared private keys, secrets and other passwords, which if exploited by a malicious hacker would have allowed access to the company’s Amazon Web Services storage servers, databases and also the company’s private Slack workspace.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found the exposed system and reported the findings to TechCruch so we could inform the company of the security lapse.
The exposed private keys, he said, allowed for full access to the company’s storage servers, containing more than a decade’s worth of documents — including title deeds, rent agreements and addresses of customers or sellers, he said.
One of the documents seen by TechCrunch showed personal information, including names, home addresses and other personally identifiable information belonging to a rental tenant.
After TechCrunch reached out, Remine co-founder and chief operating officer Jonathan Spinetto confirmed the security lapse and that its private keys and secrets have been replaced. Spinetto also said it has notified customers with a letter, seen by TechCrunch. And, the company has retained cybersecurity firm Crypsis to handle the investigation, and that the company will “assess and comply” with applicable data breach notification laws based on the findings of the investigation.
Remine escaped bruised rather than breached, a lesson to all companies, large and small, that even the smallest bug can be enough to wreak havoc.
- MoviePass exposed thousands of unencrypted customer card numbers
- Samsung spilled SmartThings app source code and secret keys
- A billion medical images are exposed online, as doctors ignore warnings
- A ‘stalkerware’ app leaked phone data from thousands of victims
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.