Roughly a million StreetEasy accounts have been hacked and their information put up for sale on the dark web, the company confirmed Tuesday evening.

StreetEasy learned of the hack over the weekend after discovering — and eventually confirming — reports that user information was for sale online, company spokesperson Lauren Riefflin told Inman. Riefflin said the stolen data included email addresses, user names and encrypted passwords.

In an emailed statement, StreetEasy also said that an investigation revealed “that phone numbers, the last four digits, card type, expiration dates, and billing addresses of some mostly expired customer credit cards may also have been accessed.”

Riefflin described the source of the stolen information as “an old data file from 2016 or earlier.” She also said that much of the data “was expired” and that no “raw passwords” were included.

The breach affected about 1 million accounts, and the information was discovered for sale on the dark web — a collection of encrypted websites that criminals use to buy and sell stolen information as well as other illegal items.

StreetEasy has not publicly disclosed how the data breach occurred, but Riefflin said the company is “taking a number of actions to make sure that our systems are safeguarded.” Those measures included sending an email to users Tuesday telling them to reset their passwords. The email also provides basic information about what information was stolen and explains that the company “recently learned” about the hack.

TechCrunch reported that the incident is part of an ongoing round of data breaches in which an unknown hacker has tried to sell hundreds of millions of records stolen from multiple companies.

StreetEasy operates as both a sales and rental portal focusing on New York City. The company is owned by Zillow, though Riefflin said that the data breach did not affect the parent company.

In its statement Tuesday, StreetEasy said that “we take the privacy and security of users’ information seriously.”

“We are taking a number of actions to strengthen our internal safeguards to protect against future attempts to gain unauthorized access to our systems,” the statement added.

Email Jim Dalrymple II

Show Comments Hide Comments
Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Success!
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription
×