We often write about malicious Android apps that intend to steal your data, but some apps put your data at risk inadvertently. This week, the Cybernews research team discovered that a very popular all-in-one real estate app called MyEstatePoint Property Search left a MongoDB server containing sensitive data about its users open to the public.
MyEstatePoint Property Search was made by India-based software developer NJ Technologies. The app has been downloaded over 500,000 times, mostly by users in India. Cybernews claims that the exposed server contained data on over 497,000 users, which means that nearly every user who ever installed the app has been affected.
According to the report, the research team found the server on November 6, 2023, and quickly contacted the developer about the issue. NJ Technologies never responded, but access to their server has since been closed off to the public.
The exposed server showed users’ first and last names, email addresses, plain-text passwords, mobile phone numbers, cities, businesses, and signup methods.
The Cybernews research team shared the following statement about the leak:
“This comprehensive dataset poses severe risks as threat actors could exploit the exposed information for unauthorized access, identity theft, fraudulent activities, and potentially compromise the privacy and security of the affected individuals.”
Anyone who has ever used this app should obviously change their password immediately. And even if you don’t use the app, this is yet another sign to make different passwords for every app and service you use. If you’re using the same password for an Android app that leaks your data as you do for your email or your bank, the consequences could be catastrophic.