A serious data breach involving Roomster, the online house-sharing platform, has come to light, potentially compromising the personal information of millions of users. The breach, first uncovered by security researcher @JayeLTee in November 2024, was linked to a misconfigured server that exposed sensitive data for over two years. Among the 44 million files potentially affected were important documents such as driver’s licenses, passports, state ID cards, and work permits. This exposure could have significant privacy implications for those whose personal data was stored in the files.
Upon discovering the breach, @JayeLTee took immediate action by notifying Roomster through their privacy email address. Unfortunately, the company did not respond to the responsible disclosure. As a result, the researcher escalated the issue by reaching out to the New York State Attorney General’s Office. His efforts eventually led to the locking down of the exposed data by December 2024, though Roomster failed to acknowledge the researcher’s notification or offer an explanation regarding the breach. It remains unclear whether the intervention of the state played a role in the resolution.
Roomster, which had previously been involved in legal troubles in 2023, settling charges with the Federal Trade Commission and six states for misleading practices related to fake reviews and unverified listings, now faces new scrutiny. The lack of a direct response or contact information on the website raises further concerns about the company’s commitment to data security. Roomster’s privacy policy notes that it implements “reasonable security measures,” but such language has been called into question, especially in light of this prolonged exposure of highly sensitive information without encryption.
This breach raises important questions about data protection practices and the accountability of companies that handle sensitive user information. Given the failure to address the security lapse for over two years, regulators such as the FTC and New York State may take further action. Roomster’s data security failures may lead to increased regulatory pressure, prompting a closer look at whether the company can truly be trusted to safeguard the personal information of its users. As of now, it remains to be seen what consequences, if any, Roomster will face in response to the incident.
Reference:
