Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that held 1.5 billion records containing real estate ownership data of millions of people, including celebrities, politicians, and even his own personal information. The database belonged to New York-based Real Estate Wealth Network.
The exposed database contained a total 1,523,776,691 records with a size of 1.16 TB. The data was organized in various folders according to: property history, motivated sellers, bankruptcy, divorce, tax liens, foreclosure, home owner association (HOA) liens, inheritance, court judgments, obituary (death), vacant properties, and more. The folders contained information on property owners, sellers, investors, and what appeared to be internal user logging data that included name, physical address, phone number, provider, and what was downloaded from the database.
The logging records indicated that the files belonged to a company named Real Estate Wealth Network. I immediately sent a responsible disclosure notice, and the database was secured from public access shortly after. A few days later, a representative of Real Estate Wealth Network contacted me to thank me for notifying them of the breach and confirmed ownership of the database. It is unclear how long the database was exposed or who else may have accessed the data. Only an internal forensic audit could identify if the records had been accessed, extracted, or downloaded.
In the United States, property tax records are generally considered semi-public records. However, that doesn't mean there is full public access to ownership information. There are no central record-keeping agencies or one single place to access property tax ownership. Among the 50 states, there are 3,144 counties; each has its own local government (cities, counties, and school districts) that collects property taxes, and each one has its own policies for storing and sharing property tax data.
The records are physically stored in each individual jurisdiction, and some locations even require an in-person visit to access the property tax records. Some localities do have websites or online portals where limited property tax information can be obtained. The ease of access or availability can vary drastically from state to state and even among counties within the same state.
Many years ago, I was a licensed real estate agent, so I immediately knew what these records were and how they could be used. Lead generation for buying and selling properties is a big business. As of 2023, it is estimated that Americans owe $12.01 trillion in mortgages and housing accounts for an estimated 15-18% of GDP. As a landowner myself, I get countless offers in the mail from investors big and small offering to buy my property at a small fraction of its value.
When searching the database, I found my own property, my name, address, purchase date, and other details. I then checked my local county tax and revenue office to see if such data was publicly available and found that my local county does not offer this information online.
After finding my own information, I searched a random selection of famous people and found alleged property ownership data of those including: Kylie Jenner, Blake Shelton, Britney Spears, Floyd Mayweather, Dave Chappelle, Elon Musk & Associates LLC, Dolly Parton, Mark Wahlberg, Nancy Pelosi, and others. I was able to see their street address, purchase price and date, mortgage company, mortgage loan amount, tax ID numbers, taxes owed, paid, or due, and other information.
Real Estate Wealth Network (REWN) was founded by real estate investor and educator Cameron Dunlap in 1993. It is an online real estate education platform that offers education and resources for real estate investing, including a massive collection of data. Fees for accessing the data are a non-refundable $1,450 per year according to a review posted on the Better Business Bureau (BBB). Subscribers gain access to a variety of resources, including online courses, training materials, and a community.
Additionally, Real Estate Wealth Network offers mentorship and coaching from experienced real estate professionals. I called REWN to better understand the costs and was recommended the “motivated seller data feed” for $99 a month. There is no subscription membership that allows access to the full dataset; as a member, you can only access individual data feeds such as foreclosures, investment opportunities, and funding sources. It is plausible that the exposed database I discovered was REWN’s entire collection of resources, which is sold to investors and subscribers in divided data feeds.
The database also contained daily logging records from 4/22/23 through 10/23/23, which showed internal user search data. The records I saw included the user’s name, phone number, email, device information, and what files the user accessed.
Potential Risks
The exposure of celebrities' home addresses online could pose potential risks such as threats to their personal safety or an invasion of their privacy. Famous people and politicians could face potential stalking or harassment by fans or even individuals with malicious intent. One recent example of a worst-case scenario would be the home invasion and attack on Paul Pelosi, the husband of the former Speaker of the United States House of Representatives, Nancy Pelosi.
The personal privacy, safety, and security of famous individuals is as important as that of any other person. Everyone, famous or not, should feel safe in their own homes. Celebrities and public servants deserve personal privacy and a sense of security for themselves and their families in the properties they own and live.
Real estate tax data typically includes information about property ownership, assessed property values, tax assessment history, and property tax payment history. While this information is generally meant for transparency and tax assessment purposes, there are potential risks associated with the misuse of this data. Criminals could use real estate tax data to gather personal information about property owners, which may include their names, addresses, and other sensitive information.
Each piece of data is like a puzzle piece, and it can be used to target an individual using social engineering or a phishing attack to gain financial or other personal information. As an example, the exposed records indicated if an individual bought their house with cash and without a mortgage loan, or if they already paid off their mortgage. This would likely indicate the individual is either wealthy or a vulnerable senior citizen, both of whom could be a much better potential target for financial fraud.
Another growing risk is property and mortgage fraud. In a 2022 report, the FBI identified that 11,578 cases of real estate fraud caused $350 million in losses in just one year, which means the number of real estate fraud cases has increased an estimated 20% since 2017. Property fraud is a multistep scam that first involves stealing a home owner’s identity and then forging ownership documents.
Criminals could identify properties that are owned free and clear or have a large amount of equity. Next, they would forge documents and submit them to the local clerk of courts where the transfer of the property would be recorded in the county's public records. The court clerk only verifies that the documents comply with the filing requirements, so there is virtually no verification if the sale is legitimate or accurate.
Once the transfer of the home is registered with the court, a deed of ownership would be issued to the criminal. They could hypothetically sell the property to an unsuspecting buyer or obtain a mortgage loan on the home. It would be relatively easy to choose a target and see if their SSN (social security number) or other private details are available for sale on the darkweb or were included in previous data breaches. This method would allow criminals to commit the theft of the property without ever contacting the true owner.
I highly recommend that property owners be cautious about sharing their personal information, especially in response to unsolicited requests for personal information or details about their property. It is important for homeowners to understand the potential risks associated with semi-public data.
It is unknown how long the data was publicly exposed or even if anyone else may have accessed it. I am not saying individuals in the Real Estate Wealth Network database are at an imminent risk, I am only providing a hypothetical example of how real estate or other forms of fraud could happen using exposed ownership records and tax information. Any illustrative scenarios are intended solely for illustrative purposes to underscore the importance of data security and do not suggest that such events have occurred or are likely to occur. I am also not implying any wrongdoing by the Real Estate Wealth Network.
As an ethical security researcher I never download or extract the data I discover and only take a limited number of samples in a manner that is consistent with legal and ethical guidelines, to validate my findings and publish for educational purposes. The intent of sharing this information is to raise awareness about data privacy and protection, and not to suggest negligence or lack of security on the part of any individual or organization.
Original blog post hosted here.
Jeremy Fowler is a cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.
Jeremiah Fowler finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.
Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.
He has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. Jeremiah lives by the saying "Do what you love, and you will always love what you do"