Security Affairs
Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hello Alfred app exposes user data

Hello Alfred, an in-home hospitality app, left a database accessible without password protection, exposing almost 170,000 records containing private user data. Hello Alfred is a one-stop application allowing real estate developers and property managers to provide in-home services and maintenance to residents. It also enables landlords to collect rent in-app. Residents using the platform get an […]

UK Visa Site data leak

Hello Alfred, an in-home hospitality app, left a database accessible without password protection, exposing almost 170,000 records containing private user data.

Hello Alfred is a one-stop application allowing real estate developers and property managers to provide in-home services and maintenance to residents. It also enables landlords to collect rent in-app.

Residents using the platform get an app-based personal assistant service for their apartments. A designated Hello Alfred employee handles the residents’ home-related inquiries, such as managing weekly shopping, in-home delivery, or picking up dry cleaning.

On September 19th, researchers discovered that the platform exposed sensitive user data. The leaked information included:

  • First and last name
  • Email address
  • Phone number
  • Home address
  • Authentication tokens
  • Private notes
  • App signup details, such as dates, IPs, cookies, and user agents
  • Partial payment information for paid users – including the last four digits of credit card numbers, expiry month/year, and Stripe IDs

The owners of the app were informed about the leak and secured access almost immediately. Cybernews contacted the company for an official comment but received no reply at the time of writing.

Launched nine years ago, the New York-based platform has publicly raised $56.5 million in funding and operates in over 20 cities in the US. In 2018, business magazine Fast Company selected the company as one of the Top 50 Most Innovative Companies in the World.

Hello Alfred data leak
Source: Cybernews

Passwordless database

The cause of the data leak was a publicly accessible MongoDB, a document-orientated database program. According to Bob Diachenko, the CEO of SecurityDiscovery and who first identified the leak, at least three IP addresses of the same database were left passwordless and indexed by public search engines.

The exposure of sensitive data, including user names, contact information, authentication tokens, private notes, and partial payment information in a resident management software application raises significant concerns about user privacy and security.

Hello Alfred data leak
Source: Cybernews

More details are available on the original post at @Cybernews

https://cybernews.com/security/hello-alfred-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)