A million StreetEasy accounts hacked

The data breach includes email addresses, usernames, passwords and may include partial credit card numbers, expiration dates, and billing addresses

TRD New York /
Feb.February 19, 2019 05:45 PM

(Credit: iStock and StreetEasy)

Now you can shop for StreetEasy user accounts on the dark web.

In an email to users Tuesday, StreetEasy said login information for accounts on the site had been hacked by an “unauthorized party” and are currently for sale on the dark web. The company said some financial information might also have been accessed in the hack.

“The stolen data includes email addresses, usernames, and encrypted passwords,” StreetEasy’s communications director, Emily Heffter, said in a statement. “In our investigation, we determined that phone numbers, the last four digits, card type, expiration dates and billing addresses of some mostly expired customer credit cards may also have been accessed.”

Heffter said the hacked information did not include full credit card numbers or CVV/CVC codes.

An unknown hacker is currently selling one million stolen StreetEasy accounts on the dark web alongside information stolen from other sites including MyFitnessPal, Houzz and ClassPass, according to reporting from Tech Crunch. It is not clear when the hack took place.

The same hacker is responsible for posting 841 million records for sale on the dark web, stolen from 30 different companies, according to the tech-news site. A review by TechCrunch did not find any financial data in the hacked information.

StreetEasy said the hacked information was stored on a 2016 database backup. In its email, the company encouraged “potentially exposed users” to reset their passwords, and to monitor their credit card accounts for unauthorized activity.

“We are taking a number of actions to strengthen our internal safeguards to protect against future attempts to gain unauthorized access to our systems,” Heffter said, but declined to comment on specific steps the company will take.

In August 2018, StreetEasy was targeted as part of an anti-Semitic hack that also targeted Snapchat, Citi Bike and the New York Times. All the sites were using maps from the third-party company Mapbox. The hacker changed the display name on their maps from Manhattan to “Jewtropolis.” The attack affected StreetEasy’s building pages, which consolidate information about properties.

The hack was identified within hours.

Related Articles

135 Joralemon Street in Brooklyn Heights and 48 2nd Place in Caroll Gardens (Credit: Wikipedia)

Brooklyn luxury market saw 15 contracts signed last week

130 Furman Street and 296 Sixth Avenue in Brooklyn

Brooklyn’s luxury market saw 22 contracts close above $2M last week

The state of new development, according to those who build and sell it

The state of new development, according to those who build and sell it

83 1st Place in Carroll Gardens and 952 East 9th Street in Midwood (Credit: Google Maps)

Brooklyn’s luxury market saw 16 contracts above $2M signed last week of May: Stribling

REBNY president John Banks and Zillow CEO Richard Barton (Credit: iStock)

Two years after Premier Agent fracas, NYS regulators tighten rules for online ads

From left: Robert Reffkin, Elizabeth F. Stribling, Elizabeth Ann Stribling-Kivlan, and Compass COO Maelle Gavet; Inset, from left: Linda Maloney and Megan Scott

Two months after Compass deal, Stribling’s seeing a string of departures

The interiors of 16 Sidney Place and 15 Willow Street in Brooklyn

Brooklyn’s luxury market saw 20 contracts close above $2M last week: Stribling

215 Clinton Avenue and 16 Grace Court Alley in Brooklyn (Credit: Google Maps)

Brooklyn’s luxury market saw 15 contracts close above $2M last week