Roughly a million StreetEasy accounts have been hacked and their information put up for sale on the dark web, the company confirmed Tuesday evening.
StreetEasy learned of the hack over the weekend after discovering — and eventually confirming — reports that user information was for sale online, company spokesperson Lauren Riefflin told Inman. Riefflin said the stolen data included email addresses, user names and encrypted passwords.
In an emailed statement, StreetEasy also said that an investigation revealed “that phone numbers, the last four digits, card type, expiration dates, and billing addresses of some mostly expired customer credit cards may also have been accessed.”
Riefflin described the source of the stolen information as “an old data file from 2016 or earlier.” She also said that much of the data “was expired” and that no “raw passwords” were included.
The breach affected about 1 million accounts, and the information was discovered for sale on the dark web — a collection of encrypted websites that criminals use to buy and sell stolen information as well as other illegal items.
StreetEasy has not publicly disclosed how the data breach occurred, but Riefflin said the company is “taking a number of actions to make sure that our systems are safeguarded.” Those measures included sending an email to users Tuesday telling them to reset their passwords. The email also provides basic information about what information was stolen and explains that the company “recently learned” about the hack.
TechCrunch reported that the incident is part of an ongoing round of data breaches in which an unknown hacker has tried to sell hundreds of millions of records stolen from multiple companies.
StreetEasy operates as both a sales and rental portal focusing on New York City. The company is owned by Zillow, though Riefflin said that the data breach did not affect the parent company.
In its statement Tuesday, StreetEasy said that “we take the privacy and security of users’ information seriously.”
“We are taking a number of actions to strengthen our internal safeguards to protect against future attempts to gain unauthorized access to our systems,” the statement added.