Because of a website security snafu, the online real estate platform Redfin made random users’ names, email addresses, and phone numbers available to others who log onto listings. The vulnerability lasted less than a week, the company said.
The personal identification information became visible to other users who were viewing real estate listings. The information would appear momentarily when a contact information form popped up on a listing; the form would be pre-filled with details from past users, which would quickly vanish.
The contact information of past users, however, would remain visible when viewing the listing while disabling JavaScript, a programming language used to make interactive websites that can, in many browsers, be turned off in general or for specific sites.
Past users’ email addresses or phone numbers, and sometimes both, were displayed.
“We recently identified a technical error on the website that temporarily made it possible for the e-mail address and/or phone number of a previous visitor to be visible to another user on a rental listing page,” said Alina Ptaszynski, a Redfin spokesperson. “This error was active for less than a week and was remediated as soon as we were made aware of it.”
After The Intercept initially contacted Redfin, the company changed the way its website contact form is displayed for desktop web browsers, but the vulnerability persisted on mobile listings. After a subsequent inquiry from The Intercept, the mobile listings’ contact form was updated as well.
Redfin, a giant brokerage house that pioneered map-based online real estate listings, claims to have 50 million monthly users, according to Rocket, its parent company.
The data vulnerability only displayed one user’s contact information at a time, but data could have been collected en masse by someone making repeated visits to property listings and serially gathering available information. (Redfin did not respond to question about whether there was any evidence the vulnerability had been exploited to collect bulk user information.)
Using reverse phone number and email search databases, The Intercept confirmed that the email addresses and phone numbers are valid contact information belonging to real people, not just dummy data that developers sometimes use when testing their code.
Inadvertently revealing user information is a problem which has plagued web services for years.
Redfin’s privacy policy says the company may share private information, but only when the prompt to provide that data is accompanied by a disclosure. The property contact form, however, does not provide a disclaimer that a user’s contact information might be shared, let alone with subsequent users.
IT’S EVEN WORSE THAN WE THOUGHT.
What we’re seeing right now from Donald Trump is a full-on authoritarian takeover of the U.S. government.
This is not hyperbole.
Court orders are being ignored. MAGA loyalists have been put in charge of the military and federal law enforcement agencies. The Department of Government Efficiency has stripped Congress of its power of the purse. News outlets that challenge Trump have been banished or put under investigation.
Yet far too many are still covering Trump’s assault on democracy like politics as usual, with flattering headlines describing Trump as “unconventional,” “testing the boundaries,” and “aggressively flexing power.”
The Intercept has long covered authoritarian governments, billionaire oligarchs, and backsliding democracies around the world. We understand the challenge we face in Trump and the vital importance of press freedom in defending democracy.
We’re independent of corporate interests. Will you help us?
IT’S BEEN A DEVASTATING year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
I’M BEN MUESSIG, The Intercept’s editor-in-chief. It’s been a devastating year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
Contact the author:
Related
Latest Stories
License to Kill
CIA Was Behind Venezuela Drone Strike, Source Says
The December 24 drone strike in Venezuela is the latest in a long tradition of CIA interventions in Latin America — which often lead to destabilization and blowback.
Midterms 2026
AIPAC Is Retreating From Endorsements and Election Spending. It Won’t Give Up Its Influence.
The lobbying group is taking a quieter approach this midterms cycle, but it’s still seeking to keep Congress in Israel’s pocket.
License to Kill
Did Trump Just Confess to Attacking Venezuela?
“They have a big plant or a big facility where the ships come from. Two nights ago, we knocked that out. We hit them very hard.”