cybernews.com Open in urlscan Pro
2606:4700:3108::ac42:283b  Public Scan

URL: https://cybernews.com/security/hello-alfred-data-leak/
Submission: On November 08 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

GET /search/

<form class="header__search-form" action="/search/" method="get" data-js-search-mobile="">
  <input class="header__search-form-input" placeholder="Search..." type="search" data-js-search-input-mobile="">
  <button type="submit" class="header__search-form-button" title="Search">
    <svg class="svg-icon header__search-form-button-icon" width="22" height="22">
      <use xlink:href="#mdi-magnify"></use>
    </svg>
  </button>
</form>

POST /api/add-comment/

<form id="comment-form" class="space space_size_n text text_size_small" action="/api/add-comment/" method="POST">
  <label for="comment-form-text">
    <strong class="form-label form-label_required">Comment</strong>
    <textarea id="comment-form-text" name="comment" required="" cols="45" rows="8" class="form-input space space_size_s" minlength="3"></textarea>
  </label>
  <div class="space space_size_n">
    <div class="cells cells_responsive">
      <label class="cells__item cells__item_width cells__item_width_2" for="comment-form-name">
        <strong class="form-label form-label_required">Name</strong>
        <input id="comment-form-name" type="text" name="name" required="" class="form-input space space_size_s" minlength="3">
      </label>
      <label class="cells__item cells__item_width cells__item_width_2" for="comment-form-email">
        <strong class="form-label form-label_required">Email</strong>
        <input id="comment-form-email" type="email" name="email" required="" class="form-input space space_size_s" minlength="3">
      </label>
    </div>
    <label class="space space_size_n display_block" for="privacy_policy">
      <strong class="form-label form-label_required">Privacy Policy Agreement</strong>
      <span class="space space_size_s content display_block">
        <input id="privacy_policy" name="privacy_policy" required="" type="checkbox"> &nbsp; I agree to the <a class="link" href="https://cybernews.com/terms-conditions/" target="_blank" rel="noreferrer">
Terms &amp; Conditions
</a> and <a href="https://cybernews.com/privacy-policy/" target="_blank" rel="noreferrer">
Privacy Policy
</a>. </span>
    </label>
  </div>
  <div class="space space_size_l">
    <button class="button" type="submit"> Post comment </button>
  </div>
</form>

Text Content

 * News
   * Cybersecurity news
   * Cyber war news
 * Editorial
 * Security
 * Privacy
 * Crypto
 * Tech
 * Resources
   * What is a VPN?
   * How to use a VPN?
   * What is malware?
   * Are password managers safe?
   * More resources
 * Tools
   * Strong password generator
   * Personal data leak checker
   * Password leak checker
   * Website security checker
   * Ransomlooker
   * VPN speed test
 * Reviews
   * Antivirus software
   * Best VPN services
   * Password managers
   * Best ad blockers
   * Secure email providers
   * Best website builders
   * Best web hosting services

 * Follow
   * 
   * 
   * 
   * 
   * 
   * 
   * 



© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

 1. Home
 2. Security


HELLO ALFRED APP EXPOSES USER DATA

Updated on: 27 October 2023
 * Paulina Okunytė
   Journalist

--------------------------------------------------------------------------------

Image by Cybernews


Hello Alfred, an in-home hospitality app, left a database accessible without
password protection, exposing almost 170,000 records containing private user
data.

Hello Alfred is a one-stop application allowing real estate developers and
property managers to provide in-home services and maintenance to residents. It
also enables landlords to collect rent in-app.

Residents using the platform get an app-based personal assistant service for
their apartments. A designated Hello Alfred employee handles the residents'
home-related inquiries, such as managing weekly shopping, in-home delivery, or
picking up dry cleaning.



On September 19th, researchers discovered that the platform exposed sensitive
user data. The leaked information included:

 * First and last name
 * Email address
 * Phone number
 * Home address
 * Authentication tokens
 * Private notes
 * App signup details, such as dates, IPs, cookies, and user agents
 * Partial payment information for paid users – including the last four digits
   of credit card numbers, expiry month/year, and Stripe IDs

The owners of the app were informed about the leak and secured access almost
immediately. Cybernews contacted the company for an official comment but
received no reply at the time of writing.

Launched nine years ago, the New York-based platform has publicly raised $56.5
million in funding and operates in over 20 cities in the US. In 2018, business
magazine Fast Company selected the company as one of the Top 50 Most Innovative
Companies in the World.

Source: Cybernews


PASSWORDLESS DATABASE

The cause of the data leak was a publicly accessible MongoDB, a
document-orientated database program. According to Bob Diachenko, the CEO of
SecurityDiscovery and who first identified the leak, at least three IP addresses
of the same database were left passwordless and indexed by public search
engines.

The exposure of sensitive data, including user names, contact information,
authentication tokens, private notes, and partial payment information in a
resident management software application raises significant concerns about user
privacy and security.


Source: Cybernews

If the threat actors had taken advantage of the free access to Alfred’s user
data, they could have potentially exploited it in various ways, including fraud,
identity theft and impersonation. This makes the data breach a serious threat to
both users and the application's integrity.

The data leak greatly increases the risk of spearphishing attacks, as attackers
could leverage user contact details and partial payment information to craft
targeted attack campaigns, leading to financial scams. The four last digits of
the credit card could potentially trick a victim into revealing the remaining
banking information.

--------------------------------------------------------------------------------


MORE FROM CYBERNEWS:

Experts name essential skills to beat the robot takeover

23andMe data breach impacts its DNA Relatives feature

Microsoft lure used in Webmail zero-day attack

Video and Audio calls coming to X

OpenAI, Microsoft, Google, Anthropic create $10M AI safety fund, appoint new
director

Subscribe to our newsletter


Share
Post
Share
Share
Share

--------------------------------------------------------------------------------

Editor's choice
EDITORIAL
Book review – Going Infinite: The Rise and Fall of a New Tycoon
by  Susan Morrow
03 November 2023

Sam Bankman-Fried is on trial for the biggest crypto fraud of all time, accused
of stealing an astonishing $10 billion. Michael Lewis followed the Crypto King
for eight months to give us an insight into a strange world where effective
altruism went spectacularly wrong.

Read more about Sam Bankman-Fried is on trial for the biggest crypto fraud of
all time, accused of stealing an astonishing $10 billion. Michael Lewis followed
the Crypto King for eight months to give us an insight into a strange world
where effective altruism went spectacularly wrong.
The man who found a world: detecting an exoplanet
02 November 2023
Exclusive: OSINT detectives discover crucial hints in the mystery of the
teenager’s disappearance
01 November 2023
The hacker who breached NASA to prove that UFOs exist
31 October 2023
Boeing claimed by LockBit ransom gang
27 October 2023

--------------------------------------------------------------------------------



--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Leave a Reply

Your email address will not be published. Required fields are marked

Comment
Name Email
Privacy Policy Agreement   I agree to the Terms & Conditions and Privacy Policy
.
Post comment

 * Categories
   * News
   * Editorial
   * Security
   * Privacy
   * Crypto
   * Cloud
   * Tech
 * Reviews
   * Antivirus Software
   * Password Managers
   * Best VPNs
   * Best VPN for iPhone
   * Secure Email Providers
   * Website Builders
   * Best Web Hosting Services
 * Tools
   * Password generator
   * Personal data leak checker
   * Password leak checker
   * Website security checker
   * Ransomlooker
   * VPN speed test
   * Coupon codes
 * ENGAGE
   * About Us
   * Send Us a Tip
   * Careers
   * Academy

 * 
 * 
 * 
 * 
 * 
 * 
 * 

 * About Us
 * Contact
 * Send Us a Tip
 * Privacy Policy
 * Terms & Conditions
 * Vulnerability Disclosure

© 2023 Cybernews – Latest Cybersecurity and Tech News, Research & Analysis.



This website uses cookies. By continuing to use this website you are giving
consent to cookies being used. Visit our Privacy Policy .
I Agree