Hello Alfred app exposes user data

Hello Alfred app exposes user data

Pierluigi Paganini
October 27, 2023

Hello Alfred, an in-home hospitality app, left a database accessible without password protection, exposing almost 170,000 records containing private user data.

Hello Alfred is a one-stop application allowing real estate developers and property managers to provide in-home services and maintenance to residents. It also enables landlords to collect rent in-app.

Residents using the platform get an app-based personal assistant service for their apartments. A designated Hello Alfred employee handles the residents’ home-related inquiries, such as managing weekly shopping, in-home delivery, or picking up dry cleaning.

On September 19th, researchers discovered that the platform exposed sensitive user data. The leaked information included:

  • First and last name
  • Email address
  • Phone number
  • Home address
  • Authentication tokens
  • Private notes
  • App signup details, such as dates, IPs, cookies, and user agents
  • Partial payment information for paid users – including the last four digits of credit card numbers, expiry month/year, and Stripe IDs

The owners of the app were informed about the leak and secured access almost immediately. Cybernews contacted the company for an official comment but received no reply at the time of writing.

Launched nine years ago, the New York-based platform has publicly raised $56.5 million in funding and operates in over 20 cities in the US. In 2018, business magazine Fast Company selected the company as one of the Top 50 Most Innovative Companies in the World.

Hello Alfred data leak
Source: Cybernews

Passwordless database

The cause of the data leak was a publicly accessible MongoDB, a document-orientated database program. According to Bob Diachenko, the CEO of SecurityDiscovery and who first identified the leak, at least three IP addresses of the same database were left passwordless and indexed by public search engines.

The exposure of sensitive data, including user names, contact information, authentication tokens, private notes, and partial payment information in a resident management software application raises significant concerns about user privacy and security.

Hello Alfred data leak
Source: Cybernews

More details are available on the original post at @Cybernews

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)