Zameen.com Hacked Inside Out, Entire Database Gets Leaked Online

Zameen.com — Pakistan’s leading real estate portal — was hacked moments ago, we have checked the Zone-h mirrors.

According to our early investigations, entire website, source code and users’ records of Zameen.com were dumped and leaked online.

Leaked data include user names, md5 encrypted passwords (one of the weakest of its kind), email addresses, phone numbers and other related details.

We are still in process of determining the total number of unique users that were registered with Zameen.com or the number of users’ record that was leaked online.

Reportedly a hacker named “Tiger Mate” is behind the incident and had no motive behind the attack but said that he hacked the website because he can, and also because “they (Zameen.com) don’t take their security seriously”.

Leaked data include user names, passwords, email, phone and other details of Zameen users

In a an electronic communication with ProPakistani, “Tiger Mate” said that Zameen.com was warned about the security vulnerability by a fellow hacker a few days ago but Zameen didn’t take the warnings seriously and instead abused the vulnerability reporter.

“Tiger Mate” said that its about time that companies like Zameen.com should start taking their security seriously.

Zameen.com has been restored as of now but hacker claims to still have the access to the website.

Zameen.com, in response to a ProPakistani query confirmed the attack and termed it a very obvious but futile effort to sully the brand perception among Pakistanis.

Zameen.com said that FIA and NR3C are already on board regarding the incident. Company said that its communication is already underway with Amazon AWS and Twitter, who are auditing their logs as of now and are expected to report back very soon. (Amazon AWS is the host while Hacker had announced the defacement on Twitter).

Not to mention, Zameen.com is one of the most celebrated startups in Pakistan. They secured multiple rounds of investments and are currently planning to expand into Iranian market.

Update

“Tiger Mate” has said that he is taking leaked data offline, as he has made a point, and hopes that Zameen.com will be more vigilant about its security now onwards.

Not to mention, it is feared that data has been downloaded by enough number of individuals already.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • Osama Mahmood

    I have also reported the vulnerability to the CEO and the development team at zameen.com and they didn’t take it seriously and i am sure that the same vulnerability was used in this attack too..

    • Abraham Boris

      i reported too, they all are n00b

      • Netherdrake

        “Noob” xD

  • ripesol

    oyeee shawa shayyy…

  • Farzal Ali Dojki

    If this was an internal act of sabotage, I hope the person(s) rots in Jail for 14 years.

    • Engr Atif

      Internal employees also do such acts? It is common trend?

    • Azam Mughal

      People don’t take cybersecurity seriouly. Time has gone, professionals heavily relies on computers can’t afford to be cyber-fools anymore.

    • Haider

      That’s a very precise sentence term Mr. President. But seriously, pen-testing isn’t something many take seriously enough. Zameen better suit up and get their sh*t together, irrespective of where the hacker came from.

  • ScarletCrimson

    To make a point about the security of a website, this A-hole compromised the privacy of all the users of the website? What did the users do?

  • hello

    where to get the database?

  • Tiger Mate
    • Muhammad Saad Khan

      You naughty boy!

    • ZeeshanShahid

      hacking them to make them pay for a vulnerability unaddressed although informed is one thing. Releasing the identity of their users publicly online is quite another.

      • Tiger Mate

        Duly noted. I think I’ve made my point. I am taking down the source code + database.

        • aamir7

          That’s a reasonable and good decision.

        • Zawyar Ur Rehman

          You’re awesome man!

        • Ali Raza

          Good to know that this 4 year old thing still working.

    • Zawyar Ur Rehman

      Ah! The irony of this!

    • Damn I need that data! I can pay for that! Send me a copy of that!

      • Zawyar Ur Rehman

        What are you going to do with just some emails and passwords and some code???

        • I know what I can do with that! Just need email addresses of the users.

    • Salman Qamar

      Sir but there is just one .txt file.

  • Zawyar Ur Rehman

    Ok, this, is seriously irresponsible of the people at zameen.com.
    They’re literally no.1 in their category yet show such child-like stubbornness for something that was BAD for them.
    This hack was inevitable, it was just a matter of time.

  • ZeeshanShahid
  • Aamir Ijaz

    I think this one just took his name.

  • Shahid Saleem

    ho hum, another php site. you pay for the cheap developers, you get the low end security

    • johny

      php is insecure and cheap??? you must be an insane or similar to MS Fan :p

      • he didn’t said php is insecure or cheap. “cheap developers – low security – bad code” !!

      • No programming language is cheap or insecure, it’s the developer who leaves the vulnerabilities unattended or skips the pentesting part.

        Usually companies don’t pay attention to the penetration testing part, and hopes nobody would ever cash the benefit of their stupidity; you can see the example right in this article.

  • Dawood

    DB is useless when you can scrap their data easily just over a night ;)

    • Shahid Saleem

      How do you get their user email address + password that way?

      Because that is what the dump allegedly contains.

      Which is more important for criminals , scraped data or user personal info?

  • johny

    Great tool for advertising your self…

  • Zawyar Ur Rehman

    A question just popped in mind,
    What could the people who have downloaded this data do?? Except get access to some property listings…

    • Mainichi

      If they can crack the MD5 encryption, they’ll have access to emails + passwords. A lot of people use the same email/ password combination for multiple websites….

      • Zawyar Ur Rehman

        So they’ll be able to access your facebook account :3
        Who gives a **** about that random guy’s facebook id who’s password you know?

        • Shahid Saleem

          I thought, boy are you dumb or what. And then I clicked on your disqus profile and found out you are still in school.

          So you are not dumb, just inexperienced. So let me walk you through a few practical examples of how you can destroy someone’s life with just their gmail or hotmail password or facebook.

          #1 way in Pakistan: post blasphemy using their account. They are now dead or in jail.
          #2 post threats against important people and get NR3C involved. Even if NR3C clears them, they will suffer for months on end and their name will be on intelligence agencies lists FOR LIFE.
          #3 do nothing. just check in periodically, read their Facebook Messenger chat messages, see their private pictures, videos. Until the user changes their password, you will have access to their account for months or even years and the user will never suspect anything. How much information can you snag this way? (And for the record, someone did this to my wife’s account last year, so it is not a hypothetical attack. It was one of her classmates so it was just for fun, not to destroy anything.)

          The other irony of what you just posted is that it is exactly why zameen didn’t do anything about their security. They probably thought, who’s going to bother to hack us? We’re just a property site, there are more valuable sites to attack, why should we bother auditing every line of our code?

          • Zawyar Ur Rehman

            First of all, thanks for not mindlessly bashing me. :D
            2nd of all,
            So, unless ;
            a) you’re an idiot who likes to stick his nose in other people’s matters and likes to cause misery to random people
            b)you strike gold and find some guy who has used the same password for his paypal account etc. (Seriously you’re either lucky or you are a maniac who really has nothing better to do so you go through so many records)
            c) You find someone who is in need of a large amount of stolen details (boy! You’re going to make goood money)
            This data is basically useless to you.

            • Shahid Saleem

              All your reply shows is your lack of imagination. Learn to think like a criminal. If you can’t do that, then you don’t know the worth of security systems.

              • Bilal Iqbal

                Agreed … These I’d are also a target for email marketing list and people die for such real customers…

                • ImranG

                  Isn’t there any law so that users can file a lawsuit against such irresponsible website owners to let so easily compromise their secret identities.

              • Zawyar Ur Rehman

                Aren’t criminals also maniacs?? ;)

          • Waqar Ahmed

            Your risk analysis approach is admirable.

        • Mainichi

          Facebook/ email/ maybe even bank accounts.

  • Rizwan

    I also talked to the CEO he is such a sh*t person that he didn’t listen to my opinion I guess that’s a good step by the hacker. Such people with so much attitude are stupid and dumb and this is a live example of this

  • Umair_CL

    And the idiots send the new pw in plaintext, which idiots are running this setup?

  • farhan

    Anyone who has the db dump and wants to share? #justcurious :)

  • kory

    kindly share the db link ;-)