[BreachExchange] A million StreetEasy accounts hacked

Destry Winant destry at riskbasedsecurity.com
Thu Feb 21 08:08:57 EST 2019 

https://therealdeal.com/2019/02/19/a-million-streeteasy-accounts-hacked/

Now you can shop for StreetEasy user accounts on the dark web.

In an email to users Tuesday, StreetEasy said login information for
accounts on the site had been hacked by an “unauthorized party” and
are currently for sale on the dark web. The company said some
financial information might also have been accessed in the hack.

“The stolen data includes email addresses, usernames, and encrypted
passwords,” StreetEasy’s communications director, Emily Heffter, said
in a statement. “In our investigation, we determined that phone
numbers, the last four digits, card type, expiration dates and billing
addresses of some mostly expired customer credit cards may also have
been accessed.”

Heffter said the hacked information did not include full credit card
numbers or CVV/CVC codes.

An unknown hacker is currently selling one million stolen StreetEasy
accounts on the dark web alongside information stolen from other sites
including MyFitnessPal, Houzz and ClassPass, according to reporting
from Tech Crunch. It is not clear when the hack took place.

The same hacker is responsible for posting 841 million records for
sale on the dark web, stolen from 30 different companies, according to
the tech-news site. A review by TechCrunch did not find any financial
data in the hacked information.

StreetEasy said the hacked information was stored on a 2016 database
backup. In its email, the company encouraged “potentially exposed
users” to reset their passwords, and to monitor their credit card
accounts for unauthorized activity.

“We are taking a number of actions to strengthen our internal
safeguards to protect against future attempts to gain unauthorized
access to our systems,” Heffter said, but declined to comment on
specific steps the company will take.

In August 2018, StreetEasy was targeted as part of an anti-Semitic
hackthat also targeted Snapchat, Citi Bike and the New York Times. All
the sites were using maps from the third-party company Mapbox. The
hacker changed the display name on their maps from Manhattan to
“Jewtropolis.” The attack affected StreetEasy’s building pages, which
consolidate information about properties.

The hack was identified within hours.

More information about the BreachExchange mailing list