On June 17th I discovered a dataset that contained a massive amount of records that were clearly related to a real estate and a home sale brokerage company. There were a total of 30.7 million files that were publicly exposed without password protections. The database contained many records that referenced property owners, physical addresses, names, and appeared to be internal records. The security token files were named eCorcoran and there were many other indications that the database likely belonged to The Corcoran Group.
I immediately sent a responsible disclosure notice to Corcoran and left a voice message for their CTO. I never received a reply or response and didn’t check back to see if they secured the database after my notice. Several months later on September 8th, I discovered the same dataset and this time it contained evidence of the malicious “Meow Bot” that seems to have no purpose except to destroy data.
The database had remained unprotected and publicly accessible for nearly 4 months. Nearly all of the previous records I had seen back in June were gone and I can only speculate that this was most likely the work of Meow Bot. There were still monitoring logs that could have contained potentially sensitive information or internal records. I decided to report my findings again so that they were aware of the extent of the exposure before the Meow Bot attack and perhaps notify the affected individuals.
Not the First Time The Corcoran Group Suffered a Major Data Incident
In September 18th 2019 a Forbes article said that; “cyberterrorists hacked into the systems of The Corcoran Group. These criminals sent confidential financial information regarding the company’s operations to every agent in the firm.” Unfortunately, it appears that cyber security is often overlooked in offline or organic industries. I believe that any industry that gathers and collects data online is in someway a technology company and must take every possible step to protect their employees, clients, and partners. Companies who have a major data incident are usually very unlikely to have another security issue because of the attention and resources they dedicate to cyber security and data protection.
Unfortunately, any data exposure has real world risks and real estate is a targeted area for high stakes fraud. What was most surprising to me is that my multiple responsible disclosure notices to several people in leadership positions and phone calls to their CTO’s voicemail were not taken seriously or even given a response. In the previous case they claimed they were hacked, but in my discovery they simply left the back door open for anyone with an internet connection and a web browser.