Zameen.com Hacked Inside Out, Entire Database Gets Leaked Online

Zameen.com — Pakistan’s leading real estate portal — was hacked moments ago, we have checked the Zone-h mirrors.

According to our early investigations, entire website, source code and users’ records of Zameen.com were dumped and leaked online.

Leaked data include user names, md5 encrypted passwords (one of the weakest of its kind), email addresses, phone numbers and other related details.

We are still in process of determining the total number of unique users that were registered with Zameen.com or the number of users’ record that was leaked online.

Reportedly a hacker named “Tiger Mate” is behind the incident and had no motive behind the attack but said that he hacked the website because he can, and also because “they (Zameen.com) don’t take their security seriously”.

Leaked data include user names, passwords, email, phone and other details of Zameen users

In a an electronic communication with ProPakistani, “Tiger Mate” said that Zameen.com was warned about the security vulnerability by a fellow hacker a few days ago but Zameen didn’t take the warnings seriously and instead abused the vulnerability reporter.

“Tiger Mate” said that its about time that companies like Zameen.com should start taking their security seriously.

Zameen.com has been restored as of now but hacker claims to still have the access to the website.

Zameen.com, in response to a ProPakistani query confirmed the attack and termed it a very obvious but futile effort to sully the brand perception among Pakistanis.

Zameen.com said that FIA and NR3C are already on board regarding the incident. Company said that its communication is already underway with Amazon AWS and Twitter, who are auditing their logs as of now and are expected to report back very soon. (Amazon AWS is the host while Hacker had announced the defacement on Twitter).

Not to mention, Zameen.com is one of the most celebrated startups in Pakistan. They secured multiple rounds of investments and are currently planning to expand into Iranian market.

Update

“Tiger Mate” has said that he is taking leaked data offline, as he has made a point, and hopes that Zameen.com will be more vigilant about its security now onwards.

Not to mention, it is feared that data has been downloaded by enough number of individuals already.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • I have also reported the vulnerability to the CEO and the development team at zameen.com and they didn’t take it seriously and i am sure that the same vulnerability was used in this attack too..

  • If this was an internal act of sabotage, I hope the person(s) rots in Jail for 14 years.

    • People don’t take cybersecurity seriouly. Time has gone, professionals heavily relies on computers can’t afford to be cyber-fools anymore.

    • That’s a very precise sentence term Mr. President. But seriously, pen-testing isn’t something many take seriously enough. Zameen better suit up and get their sh*t together, irrespective of where the hacker came from.

  • To make a point about the security of a website, this A-hole compromised the privacy of all the users of the website? What did the users do?

  • Ok, this, is seriously irresponsible of the people at zameen.com.
    They’re literally no.1 in their category yet show such child-like stubbornness for something that was BAD for them.
    This hack was inevitable, it was just a matter of time.

  • ho hum, another php site. you pay for the cheap developers, you get the low end security

      • No programming language is cheap or insecure, it’s the developer who leaves the vulnerabilities unattended or skips the pentesting part.

        Usually companies don’t pay attention to the penetration testing part, and hopes nobody would ever cash the benefit of their stupidity; you can see the example right in this article.

    • How do you get their user email address + password that way?

      Because that is what the dump allegedly contains.

      Which is more important for criminals , scraped data or user personal info?

  • A question just popped in mind,
    What could the people who have downloaded this data do?? Except get access to some property listings…

    • If they can crack the MD5 encryption, they’ll have access to emails + passwords. A lot of people use the same email/ password combination for multiple websites….

      • So they’ll be able to access your facebook account :3
        Who gives a **** about that random guy’s facebook id who’s password you know?

        • I thought, boy are you dumb or what. And then I clicked on your disqus profile and found out you are still in school.

          So you are not dumb, just inexperienced. So let me walk you through a few practical examples of how you can destroy someone’s life with just their gmail or hotmail password or facebook.

          #1 way in Pakistan: post blasphemy using their account. They are now dead or in jail.
          #2 post threats against important people and get NR3C involved. Even if NR3C clears them, they will suffer for months on end and their name will be on intelligence agencies lists FOR LIFE.
          #3 do nothing. just check in periodically, read their Facebook Messenger chat messages, see their private pictures, videos. Until the user changes their password, you will have access to their account for months or even years and the user will never suspect anything. How much information can you snag this way? (And for the record, someone did this to my wife’s account last year, so it is not a hypothetical attack. It was one of her classmates so it was just for fun, not to destroy anything.)

          The other irony of what you just posted is that it is exactly why zameen didn’t do anything about their security. They probably thought, who’s going to bother to hack us? We’re just a property site, there are more valuable sites to attack, why should we bother auditing every line of our code?

          • First of all, thanks for not mindlessly bashing me. :D
            2nd of all,
            So, unless ;
            a) you’re an idiot who likes to stick his nose in other people’s matters and likes to cause misery to random people
            b)you strike gold and find some guy who has used the same password for his paypal account etc. (Seriously you’re either lucky or you are a maniac who really has nothing better to do so you go through so many records)
            c) You find someone who is in need of a large amount of stolen details (boy! You’re going to make goood money)
            This data is basically useless to you.

            • All your reply shows is your lack of imagination. Learn to think like a criminal. If you can’t do that, then you don’t know the worth of security systems.

              • Agreed … These I’d are also a target for email marketing list and people die for such real customers…

                • Isn’t there any law so that users can file a lawsuit against such irresponsible website owners to let so easily compromise their secret identities.

  • I also talked to the CEO he is such a sh*t person that he didn’t listen to my opinion I guess that’s a good step by the hacker. Such people with so much attitude are stupid and dumb and this is a live example of this


  • >