Where Real Estate Gets Its Dirt

Remine flaw left MLS data exposed to hackers

A security mishap left Remine wide open to hackers

“The misconfiguration was found in Remine’s development environment, which although protected by a password, let anyone outside the company register an account to log in.
Thinking it was a secure space, Remine’s developers shared private keys, secrets and other passwords, which if exploited by a malicious hacker would have allowed access to the company’s Amazon Web Services storage servers, databases and also the company’s private Slack workspace.”

Yikes! It looks like the security firm who hacked their site got access to a ton of data. According to TechCrunch

One of the documents seen by TechCrunch showed personal information, including names, home addresses and other personally identifiable information belonging to a rental tenant.

Good news the security firm was doing this for publicity (I’m assuming), and not for any malicious purposes.

While the timing of this type of situation is never good, in the case of Remine it couldn’t be worse, as CoreLogic’s Clareity MLS Executive Workshop starts tomorrow in Scottsdale. With a ton of MLS executives in attendance, I’m pretty sure this will be numero uno topic of conversation in the lobby bar.

  1. That’s what happens when you leave a bunch of arrogant children running a start-up company. It’s no wonder the CTO and other executives are quitting left and right. Completely egregious oversight by a company that “prides itself on data security and transparency.”

  2. Exactly why Remine cannot be trusted to be a legitimate provider of MLS software. It is easy to make slick demos and mockups in a sandbox but to deliver fully functioning MLS software at scale with the security and redundancy required and expected from firms like CoreLogic, BlackKnight, Flex, etc. is a whole different ball game. This Company had another blunder recently with exposing MLS data on their consumer portal without permission. I think the writing is on the wall that this is an amateur operation that can’t execute beyond selling promises of what they will deliver. Word is the money is drying up and the investors are not happy so i would think twice before doing business with this company or putting your MLS platform at risk. One big data breach can kill an MLS. Buyer beware!

  3. I don’t think Ill be taking Hugh Janus (huge anus) seriously and I’m going to wager that the David C. in these comments has no relation to our industry icon from Bright MLS. It’s just sad…

    REMINE is a scrappy, agile tech company trying to solve MLS problems with legit solutions. It’s not something accomplished without a few bumps in the road. I know they’ll learn from this and be stronger for it.

    To REMINE…keep charging forward! The industry is a better place with you in it.

  4. Thanks for the vote of confidence TD! Indeed the earlier post is not mine. But for sure it is someone who bears a grudge or possibly a competitor of Remine.

    I have been a big fan of Remine for several years. Their aggressive approach, their innovative solutions and most importantly their ability to deliver on their promises have served to propel our entire industry forward. In this instance they quickly and voluntarily acknowledged the problem, fixed it, and hired a very reputable firm to investigate the vulnerability. They didn’t make excuses. They didn’t hide.

    Nonetheless, let this be a reminder to all of us that the data we collect and the partners we retain to protect it needs continued, aggressive vigilance. And when we do stumble, let’s hope we can count on our partners to be as transparent.

  5. With all due respect, David, Remine had to acknowledge and voluntarily disclose their data breach under security breach notification laws. That isn’t anything special. “Their aggressive approach” is exactly why this is the second time in a very short period Remine has played fast and loose with consumer and customer data. There is a difference between aggressive and reckless and it’s a fine line that Remine toes.

    They didn’t make excuses? There is no excuse. A third-party found an unlocked backdoor and invited themselves to the party, free of charge. Remine should send the security threat analyst to Cabo for being the one to found this gaping hole instead of a malicious party who could have dumped confidential personal information on the dark web.

  6. With even more respect to David, these problems with Remine are a long time coming for anyone paying attention. Not something you often say but I agree with Hugh Janus. Executive departures in last 6 months include a head of engineering on the west coast who was fired for trashing a strip club, the CTO, the finance VP/basically acting CFO, and the head lawyer. Except for the engineer they had all just had it with the spinning out of control. Even poor Leo got basically forced out a year ago and no one seems to have noticed. President just a face saving title and the guy doesnt even live in the area anymore. And TD with his optimism and weird need to spell out huge anus is just plain wrong. No founder at Remine has ever learned anything because they believe theres nothing anyone else can teach them. They’ve watched too many tv shows about ‘moving fast and breaking things’ without actually doing the hard work of management. The idea that it ‘prides itself on data security and transparency’ is crazy. Ask employees if they’ve been told the truth about everyone walking out and the secret bonuses being paid to people that agree to stay with the ship as it goes under. Oliver is right too. You don’t get extra credit for doing what you have to do anyway.

  7. Wow! I find this type breach to be in bad form at the very least. It’s the responsibility of software architects to ensure that the data they collect is secure and for the engineering team to Q&A test the software. In an industry where we are dealing with proprietary data and in a day and age where data privacy laws are getting very serious, this should be priority #1 for a tech company. And our MLS leadership needs to hold their service providers accountable including making sure they have a secure “sandbox” environment for development and that any web-based application they use is on a modern and secure (as can be) platform. There is a philosophy with start ups that the early bird gets the worm. In other words, get to market first. This is both a good and a bad thing. While it might give a company a head start in the market, it can surely jeopardize their position as good stewards of our data if they cut the wrong corners in favor of market traction.

  8. “Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found the exposed system and reported the findings to TechCruch so we could inform the company of the security lapse.”

    Yeah right. More like “reported the findings to TechCruch (sic)” either as a publicity stunt, or to help Remine’s competitors.

    Doesn’t excuse Remine’s near-breach, and as the article says it’s forced Remine to retain a security firm/clean up any security flaws, which is a net positive. But still, let’s get real about the motivations here –– SpiderSilk/Hussein could’ve contacted Remine directly, and elected not to. I’d never, ever hire a security firm that employs dirty mind tricks like this, and this leaves me somewhat dubious of their findings.

    Also makes me somewhat dubious of the coverage of this TechCrunch article.

Sponsored By Giant Steps Advisors