Real Estate Firm The Corcoran Group Exposed Vast Database Online
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a massive leak of property-owner and agent records by a luxury real estate firm. Here are his findings:
On June 17th I discovered a dataset that contained a massive amount of records that were clearly related to a real estate and a home sale brokerage company. There were a total of 30.7 million files exposed to anyone with an internet connection. Upon further investigation, I could see that there were many records that referenced property owners, physical addresses, names, and appeared to be internal records. The security token files were named eCorcoran and there were many other indications that the database likely belonged to The Corcoran Group.
I immediately sent a responsible disclosure notice to Corcoran and left a voice message for their CTO. I never received a reply or response and didn’t check back to see if they secured the database after my notice. Several months later on September 8th, I discovered the same dataset and this time it contained evidence of the malicious “Meow Bot” that seems to have no purpose except to destroy data.
The database had remained unprotected and publicly accessible for nearly 4 months. Nearly all of the previous records I had seen back in June were gone and I can only speculate that this was most likely the work of Meow Bot. There were still monitoring logs that could have contained potentially sensitive information. I decided to report my findings again so that they were aware of the extent of the exposure before the Meow Bot attack.
This time I reached out directly to multiple senior contacts at the Corcoran Group’s parent company Realogy. Although they restricted public access shortly after my notice, I never received a response or acknowledgment from anyone from Corcoran real estate or Realogy.
Here is what I discovered that included the following:
- This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 30,721,534 Total Records Exposed
- Agent names, emails, password keys, security tokens, other internal records that should not be public.
- 72K Owner / Client data that included names, emails, property data
- Middleware and build information that could allow for a secondary path for malware.
IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
These images were from the original finding on June 17th:
This was after the evidence of Meow Bot that appears to have far less data.
What the Database looked like before evidence of the Meowbot attack showing a large number of records.
Real estate is a targeted area for cybercrime due to the number of money thieves could get if they can trick the victim into sending a deposit or even getting them to share their banking information. According to the most recent data from the FBI, Americans in 2018 lost nearly $150 million to real estate scams. A common form of real estate-related fraud is called a “man-in-the-middle attack”. This method is just like it sounds there is a criminal in between the victim and who they are trying to communicate with.
The man in the middle either intercepts the victim’s communications or pretends to be with the organization or person the victim trusts. During a real estate transaction, there is a real danger of victims initiating a fraudulent wire transfer after receiving a spoofed email or believing that they are contacted by a person and a relationship they trust. Even if the criminal is not sophisticated enough to launch a hi-tech man-in-the-middle attack, hypothetically a criminal would have enough insider information to conduct a highly targeted social engineering campaign on their victims.
I am not implying that Corcoran’s clients were targeted or at risk of any criminal activity, but only highlighting the fact that any exposure of active home buyers and sellers could be a potential target for cybercriminals. The breach appeared to expose clients, agents, and contact information. The fact of how long this data was exposed increases the likelihood that others may have had access to millions of records. My goal is to educate and raise awareness of how data is exposed and what are the potential risks.
According to its website, Corcoran is a Premier real estate company featuring thousands of luxury properties for sale/rent nationally and internationally. Corcoran is a subsidiary of Realogy Brokerage Group LLC who is the largest owned brokerage company by sales and volume in the U.S. with $170 billion in U.S. sales volume in 2019.
I saw many internal Agent names and email addresses that were either @Corcoran or @Citihabitats (this domain forwards to Corcoran). Although Realogy has many other franchise brands including Coldwell Banker, Sotheby’s International Realty, and Coldwell Banker Commercial, I did not see any of these domains or emails in the exposure.
It is unclear how long the data was exposed or who else may have had access to the database and records. No one from Corcoran or Realogy has replied at the time of publication.