There are leaks and then there are leaks. Hundreds of thousands of people who shared houses via Roomster might want to say a mental “Thank you” to the researcher known as @JayeLTee, who discovered a long-standing data leak and took steps to get it secured.
As JayeLTee relates, he first spotted the misconfigured server in November. One of the folders contained more than 320,000 image files with personally identifiable information such as driver’s licenses, passports, state ID cards, work permits, etc. From what he could determine, more than 44 million files had been exposed since mid-2022, and possibly earlier.
Because there was almost no contact information on Roomster’s site, JayeLTee consulted their privacy policy page and sent an email to their privacy@ email address to inform them of the leak. He received no reply.
Seeing that the data were still exposed nine days later, he emailed the New York State Attorney General’s Office to alert them to the leak and Roomster’s failure to respond to his responsible disclosure alert.
Something did the trick — whether it was his email to Roomster or intervention by the state is unknown to JayeLTee at this point, but by December 21, the data were locked down.
Roomster never acknowledged JayeLTee’s alert, but NYS thanked him for contacting them. From their thank-you email, which JayeLTee cites in his write-up of the incident, it is not clear whether the state had contacted Roomster or not. Nor does he know whether the state will be taking any further actions with respect to Roomster.
Like JayeLTee, DataBreaches was unable to find any contact information on Roomster’s site. They apparently have a Press page, but no press contact information on it. And there is no phone number to use to report a security vulnerability or breach.
While JayeLTee contacts the state again to inquire whether they will be taking further action, DataBreaches has reached out via LinkedIn to John Shriber, founder and CEO of Roomster, to ask him two questions:
(1) Whether Roomster has logs going back to mid-2022 or earlier so they can determine how many unauthorized IP addresses or individuals may have accessed the files, and
(2) Whether they will be sending notification letters to individuals whose data was accessed without authorization (if logs demonstrate that it was, or in the event that there are no logs at all).
No reply was immediately received, but this post will be updated if he responds.
Past Consumer Problems
In 2023, Roomster settled charges by the Federal Trade Commission and six states (including New York). Roomster was charged with misrepresenting fake reviews as truthful, and misrepresenting that they had verified and available listings. The issues in that case are not the same as in the current situation — unless, perhaps, Roomster has deceived the public and engaged in unfair acts by misrepresenting its data security.
Roomster’s site does not provide much information about its data security. Its privacy policy has this:
Security. We implement reasonable security measures intended to protect against the loss, misuse and alteration of the information under our control. Please be aware that no data transmission over the Internet can be guaranteed to be 100% secure. As a result, Roomster cannot guarantee or warrant the security of any information you transmit on or through the Service and you do so at your own risk. If you wish to report a security vulnerability please send an email to [email protected].
Is it “reasonable” security to have data exposed for more than two years and not seem to notice? Is it “reasonable” to have personal information stored online without encryption? What might the FTC or NYS Attorney’s General say about Roomster’s data security and incident response? Will Roomster find itself in more regulatory hot water?
Dear Dissent Doe,
I am General Counsel to Roomster Corp and joined the company in July 2023. For your information I have sent an almost identical email to Zach Whittaker at Techcrunch who has not responded to me.
By way of background, I have been an admitted attorney for 43 years and started my career as an Assistant District Attorney in Bronx, New York and after which I spent many years in private practice. In total I have over 18 year’s experience in the criminal justice system. I tell you this not to impress you but rather to explain my sensitivity to the unfortunate scams, website ransoming, cyber hacking and extortion – to just name some of the issues that legitimate businesses face today. I have expressly advised clients, and in particular Roomster, to be very sensitive to random emails from sources who do not clearly identify themselves with a true name and contact information. I have also learned in my career that “chronology of events” is extremely important in responding to claims that are made.
On November 16 at 3:06AM an email was sent by JayeLtee to [email protected] – an email address that receives hundreds of emails a day a lot of which are junkmail. @JayeLtee is not an individual known to us – no full name – no phone number, address or usual contact information. Clearly you may know who JayeLtee is, but we do not and had every reason to believe that this was just a random contact or maybe even an attempt at “extortion”. Clearly that was NOT his or her intent – but hindsight is “20-20” as the saying goes. Apparently and unbeknownst to us JayeLtee also contacted the NYS Attorney General.
On November 27th we received a letter from the NYS Attorney General merely inquiring if we were aware of the folder that has been the subject of these communications and if the folder was secure. The 27th was literally the day before the Thanksgiving holiday! This letter was immediately given to me and I took immediate action. Within an hour of receiving the letter I instructed our tech staff identify the folder in question, and thereafter deleted all of the old data inside of it and locked it down. We have no reason to believe that anyone has hacked the folder or that anyone has accessed the data and used it in any nefarious way. If you are in possession of information to the contrary please reach out to me immediately.
Because of the Thanksgiving holiday, there was no way to respond to the Attorney General’s Office until the following Monday, December 2. I responded in full to the Asst AG by letter which was sent by email. We did not receive any further communication and assumed the matter closed. Subsequent to the letter we received a communication from @JayeLtee – again not knowing who this person was or is – but the issue had been resolved.
On January 3, 2025, we receive a Linkedin email from “Dissent Doe” on the same issue. We did not open it – again we have no way of knowing if this is an extortion attempt or a ransomware attempt or some other nefarious purpose. While it appears that “Dissent Doe” (you) and JayeLtee’s intentions were clearly honorable, we have NO WAY of knowing that and always proceed with caution in opening attachments and emails from what appears on their surface to be suspicious. This needs to be viewed in the light of us having immediately responded to the appropriate government officials and resolved any questions on the matter. Again, we have no reason to believe the folder was compromised but if you do please advise me forthwith with corresponding evidence.
Now that I know who you are and you appear to be legitimate, I am happy to engage with you on issues of concern. You are free to communicate with me at [email protected]; I have reviewed your website and the article you have published and have some additional comments.
In your article you referenced the FTC Matter. I don’t know what relevance that has to the issue at hand, but I will address it generally. This is an 8 year-old matter that dealt with the company hiring an outside firm who represented that they would be able to get legitimate reviews posted from Roomster customers. We had no knowledge at the time that they would post fake reviews. We were notified by the FTC and immediately ceased using this firm. Years later, after the pandemic lifted, the FTC commenced an action. Roomster has paid a heavy price for an event that occurred 7 and 8 years ago. Besides the compensation which has been paid in full, and the adverse publicity around it, the company was forced to pay exorbitant legal fees on a matter that frankly was mishandled by counsel. I joined the company in July of 2023 to make sure that all of the provisions of the Order with the FTC were followed to a letter and that the compensation was paid timely. Each and every provision of the Order has been followed in a timely manner and we have revised all of our procedures to ensure that we stay in compliance with federal and local rules and laws. At some point aren’t we allowed to move forward from a mistake that occurred 8 years ago? We made some mistakes, we paid the price, shouldn’t we be allowed to conduct business with the changes we have made and the monitoring that we do?
I noted on your website the following statement: “You can help yourself avoid a PR or regulatory nightmare by ensuring that you have clearly displayed ways for people to notify you of any data security concerns and by training your staff to escalate notifications. If they are concerned that the notifications are fake or a potential scam, they should not click on any links, but they should still get a supervisor involved or someone who can pursue the notice to determine if it’s real.” Your article was published January 2, 2025; we were emailed on linked in by what looked to be suspicious on January 3. As I said in my opening paragraph, chronology is important in any case.
I also noted on your website that you offer data security consulting services. This is of interest to us based upon your statement that you have some expertise in the area. Let me know if you are willing to engage with me in such a discussion.
Respectfully,
Charles S Brofman Esq.
You should consider one of the following methods for people to contact you:
A special email address highlighted on your website where people can send you an email that would get elevated immediately.
Another good option would for you to create a special web form, very Simple one where anyone could report a leak or potential breach, or security issue directly via the form.
The form would have a way for someone to enter a weburl showing the location of the leak, if any any existed. I would advise using a special subdomain, which you made sure was accessible via TOR. Adding a proper captcha to it would reduce the spam. So say something like ReportaLeak.roomster.com
That subdomain would only contain a simple web form, people could advise you directly if they found a security issue with your site, also allowing it to be done anonymously, etc.