The in-home hospitality software Hello Alfred exposed over 170,000 records with sensitive user information by leaving a database open without a password.
With Hello Alfred, property managers and real estate developers can provide residents in-home maintenance and services all in one place. Landlords are also allowed to take payments in-app.
An app-based personal assistant service is provided to residents of the platform for their residences. All home-related questions from the residents are answered by a dedicated Hello Alfred staff member, who also takes care of weekly shopping, in-home delivery, and dry cleaning pickup.
A document-oriented database application called MongoDB, which is available to the public, was the source of the data breach. Bob Diachenko, the CEO of SecurityDiscovery, who discovered the breach first, claims that the same database had at least three password-free IP addresses that were indexed by open search engines.
There are serious issues regarding user privacy and security when sensitive data—such as user names, contact details, authentication tokens, private notes, and partial payment information—is exposed in a resident management software program.