Due to a security blunder, real estate data firm Remine left its system wide open to hacking, potentially exposing private agent and consumer information.
Remine, which offers a variety of software products for multiple listing services and their agent and broker subscribers, raised $30 million in Series A funding last year. More than 50 multiple listing services have deployed Remine’s core platform, which first launched in 2017.
On Monday, Remine sent this notification to those MLSs:
Dear MLS Partners,
Data security and transparent, timely communications are a top priority here at Remine. This is why we wanted to reach out to you promptly to share that, today, we discovered a potential data security issue relating to information that we maintain in our code repository. Upon learning of this issue, we took immediate action, including commencing an internal investigation and making certain that the repository was no longer accessible to external users. We have retained a top outside forensic investigation firm to assist in our investigation into this matter.
The security and privacy of our customers’ information remains a top priority and we are diligently working to learn additional details about what happened and to appropriately respond to this matter. We regret any concern this may cause, and we are working closely with the forensic investigators to determine what may have happened so that we can share additional information about this matter with our clients once it is available.
Jonathan Spinetto, Co-founder and COO
Reached by Inman via email, Remine CEO and co-founder Mark Schacknies said, “We were not hacked. There was just an exposed vulnerability. Issue has been resolved.”
Asked what the vulnerability was, when it was discovered, how it was discovered, when it was corrected, whether there had been any impact to Remine, its products or its users as a result of the exposed vulnerability or whether any customer or user information was compromised by the vulnerability, Remine declined to comment, citing the ongoing investigation.
According to tech news outlet TechCrunch, it informed Remine that its system was vulnerable after being contacted by Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk. Hussein told TechCrunch that Remine’s system had been misconfigured to allow anyone outside of the company to register an account and log in.
“Thinking it was a secure space, Remine’s developers shared private keys, secrets and other passwords, which if exploited by a malicious hacker would have allowed access to the company’s Amazon Web Services storage servers, databases and also the company’s private Slack workspace,” TechCrunch reported.
The company’s storage servers contain more than a decade’s worth of documents — including title deeds, rent agreements and addresses of customers or sellers, Hussein told TechCrunch. The news outlet itself reported seeing a document showing personal information, including names, home addresses and other personally identifiable information belonging to a rental tenant.
Spinetto confirmed the security lapse to TechCrunch and said Remine’s private keys and secrets had been replaced.
“Remine discovered a potential security vulnerability, and took immediate action to address the issue. We are currently working with an independent third party in our investigation into this matter,” Remine spokesperson Quinn Nichols told Inman via email. “Remine has notified their clients of this issue. The company will share additional relevant information about this matter with their clients once it is available.”
Remine declined to comment on the TechCrunch article or to name the third-party company, but TechCrunch reported Remine had retained cybersecurity firm Crypsis to investigate and that the company would “assess and comply” with applicable data breach notification laws based on its findings.
Inman reached out to 23 MLSs to ask if they had been affected by the Remine security issue. Most said they weren’t aware of any impacts:
- Alaska MLS
- Arizona Regional MLS (ARMLS)
- First MLS (FMLS)
- Georgia MLS
- Gulf South Real Estate Information Network (GSREIN)
- Houston Association of Realtors (HAR)
- Miami Association of Realtors (MIAMI)
- North Texas Real Estate Information Services (NTREIS)
- Rhode Island Association of Realtors (RIAR)
The others, listed below, have not responded to Inman’s inquiry asking if they had been impacted:
- Bright MLS
- California Regional MLS (CRMLS)
- Charleston Trident MLS
- San Francisco Association of Realtors (SFAR)
- Stellar MLS
Editor’s note: This story has been updated to note additional MLSs that have said they are not aware of any impacts of the Remine security issue.