170K Records of Plaintext PII Exposed in Massive Real Estate Database Leak
A large, unsecured database containing more than 170,000 records of personally identifiable information (PII) and internal documentation was discovered online by cybersecurity researcher Jeremiah Fowler. The database was unencrypted, lacked password protection, and measured 116.24 gigabytes, leaving its contents easily accessible to anyone who found it.
Fowler, who published the findings via Website Planet, believes the data may belong to Income Property Investments, a real estate management and investment company based in California. The organization is known for handling properties across the United States. However, it remains unclear whether the company itself or a third-party vendor was responsible for the misconfiguration.
Highly Sensitive Data Left Completely Exposed
The database contained a wide range of sensitive information, all in plain text—posing a significant risk for identity theft, fraud, and phishing campaigns. Among the exposed records were:
- Full names
- Dates of birth
- Social Security numbers
- Physical and email addresses
- Employment-related documents, including reprimands and termination letters
- Internal reports: property security logs, maintenance and reimbursement files, police reports, and incident summaries
According to Fowler, some records even included images of damaged property, arrest-related documents, and details tied to employees’ medical issues. Additionally, financial documents in the database showed petty cash statements, receipts, and partial payment card data, including card type and the last four digits.
“The database also showed property inspection reports, notices to vacate (evictions), employee terminations and demotion letters, petty cash statements, receipts, and expense reports,” Fowler stated.
Exposure Discovered and Contained Promptly
Upon identifying the leak, Fowler issued a responsible disclosure notice to the suspected owner. The database was secured the same day, restricting public access and minimizing the window of exposure. Still, the scale and sensitivity of the data raise serious concerns about security practices in the real estate sector, especially among firms managing vast amounts of personal and financial records.
This incident once again highlights the recurring threat of misconfigured databases—where a simple lack of encryption or authentication can jeopardize the privacy of thousands.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
