A million StreetEasy accounts hacked

The data breach includes email addresses, usernames, passwords and may include partial credit card numbers, expiration dates, and billing addresses

(Credit: iStock and StreetEasy)
(Credit: iStock and StreetEasy)

Now you can shop for StreetEasy user accounts on the dark web.

In an email to users Tuesday, StreetEasy said login information for accounts on the site had been hacked by an “unauthorized party” and are currently for sale on the dark web. The company said some financial information might also have been accessed in the hack.

“The stolen data includes email addresses, usernames, and encrypted passwords,” StreetEasy’s communications director, Emily Heffter, said in a statement. “In our investigation, we determined that phone numbers, the last four digits, card type, expiration dates and billing addresses of some mostly expired customer credit cards may also have been accessed.”

Heffter said the hacked information did not include full credit card numbers or CVV/CVC codes.

An unknown hacker is currently selling one million stolen StreetEasy accounts on the dark web alongside information stolen from other sites including MyFitnessPal, Houzz and ClassPass, according to reporting from Tech Crunch. It is not clear when the hack took place.

Sign Up for the undefined Newsletter

The same hacker is responsible for posting 841 million records for sale on the dark web, stolen from 30 different companies, according to the tech-news site. A review by TechCrunch did not find any financial data in the hacked information.

StreetEasy said the hacked information was stored on a 2016 database backup. In its email, the company encouraged “potentially exposed users” to reset their passwords, and to monitor their credit card accounts for unauthorized activity.

“We are taking a number of actions to strengthen our internal safeguards to protect against future attempts to gain unauthorized access to our systems,” Heffter said, but declined to comment on specific steps the company will take.

In August 2018, StreetEasy was targeted as part of an anti-Semitic hack that also targeted Snapchat, Citi Bike and the New York Times. All the sites were using maps from the third-party company Mapbox. The hacker changed the display name on their maps from Manhattan to “Jewtropolis.” The attack affected StreetEasy’s building pages, which consolidate information about properties.

The hack was identified within hours.