Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing over 170,000 sensitive records linked to a real estate investment and management company.
The exposed database reportedly belongs to Income Property Investments Inc., a California-based company managing a diverse portfolio of hotels, apartments, and commercial properties across the U.S.
The database included spreadsheets listing employees’ personally identifiable information (PII) such as names, Social Security numbers, dates of birth, and addresses. Additionally, it contained police reports, eviction notices, employee termination letters, COVID-19 medical records, and even surveillance images documenting on-premises incidents.
Jeremiah Fowler noted this as one of the more unique discoveries in years due to the breadth of exposed documents, which included motel guest records, internal communications, and visual evidence of injuries or criminal incidents. Notably, the storage system seemed to serve as an upload hub for hotel staff and property managers to communicate with senior management.
The records were publicly accessible without a password until Fowler responsibly disclosed the issue. The database was secured the same day.
However, it remains unknown how long the data was exposed or whether malicious actors accessed it before it was taken offline.
