MyEstatePoint Property Search Android app leaks user passwords

Pierluigi Paganini January 05, 2024

The MyEstatePoint Property Search app leaked data on nearly half a million of its users, exposing their names and plain-text passwords, the Cybernews research team has found.

The all-in-one real estate app MyEstatePoint Property Search left a publicly accessible MongoDB server containing the sensitive details of its app users.

The app, developed by NJ Technologies, an India-based software developer, has over half a million downloads on the Google Play store and mainly serves the Indian market.

According to the team, the exposed server contained data on over 497,000 users, almost matching the number of times the app was downloaded.

We reached out to NJ Technologies for comment but have yet to receive a reply.

MyEstatePoint Property Search
Sample of the leaked data.

The team discovered the publicly facing MongoDB server on November 6th and contacted the app’s developers but received no reply. However, the instance has been closed off since.

The exposed instance contained sensitive app users’ details, such as:

  • First and last names
  • Email addresses
  • Plain-text passwords
  • Mobile phone numbers
  • City
  • Business descriptors
  • Signup methods

“This comprehensive dataset poses severe risks as threat actors could exploit the exposed information for unauthorized access, identity theft, fraudulent activities, and potentially compromise the privacy and security of the affected individuals,” the team said.

Scammers can use email addresses and plain text passwords for various attacks.

To know more about the attack take a look at the original post at:

Original post @ https://cybernews.com/security/myestatepoint-property-search-app-data-leak/

About the author: Vilius Petkauskas, Deputy Editor at @CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malicious packages PyPi)



you might also like

leave a comment