Share a house and maybe your ID as well

Roomster.com was exposing over 320,000 identification related files mainly from US citizens.

Who is Roomster?

“Roomster is the largest shared housing multi platform company in the world. We take pride in knowing that we are one of the pioneers of the share economy.” according to their website.

Finding the exposed data

Around mid November 2024 while I was going through some exposed servers and looking at random images I noticed a server exposing some drivers licences from the US, I wasn’t sure if this was just some test data or not so I listed the whole file tree to see exactly what was publicly exposed on the server and found out the server contained over 44.5 million files that allowed public listing and download. Most of the files were the public pictures from the listings in Roomster website. There were also over 1 million attachments that mainly contained pictures of the inside and outside of houses.

The server also contained a folder called images where the PII was exposed with over 320,000 files inside and all of them were related to identification documents such as drivers licences, passports, state ID cards, work permits etc.

Some of the exposed documents on the server.

The majority of this files were documents from the United States but I also saw a small amount of files from other countries.

Notifying the company

On November 16th after searching Roomster website for any contact emails, I only found privacy@roomster.com so I sent them an email with the information I had.

Email sent to Roomster on Nov 16th.

I did not receive a reply back to this email and on November 25th after checking the files were still exposed I filed a complaint with the Office of the New York State Attorney General as the company listed an office in NY.

I’ve been busy so I didn’t really monitor this server that often but around December 21st I noticed the PII was no longer exposed and I couldn’t view the files anymore.

On December 31st I got a reply from the Office of the NYSAG thanking me for the alert, which was a nice surprise as it’s not often I get replies when I’m trying to contact GOV agencies in the US.

Reply from the Office of the NYSAG to my complaint sent at the end of November.

Final notes

I checked my logs to and try figure out how long this has been exposed for and I can verify the folder with the exposed PII present on a file listing from mid 2022, so this was exposed for over 2 years, maybe more but I can’t confirm how long exactly.

I can’t verify if the exposed documents belong to their affiliates or actual clients who used their services neither can I verify the total amount of people with their information exposed on the server as some of the documents had a front and back image and some didn’t, only Roomster would be able to give out more accurate information on this.

I’m not sure what ended up getting this closed as I have not received any reply from Roomster and it’s possible that only after my complaint, and someone from NYSAG reaching out to the company, someone took action.

If contacting companies leads nowhere I often file complaints with the relevant authorities. This complaints even if they are read, it’s not often I actually get a reply and acknowledgement that they were actually checked so I’d like to thank the team at the Office of NYSAG for actually not leaving me on read and wondering if it’s even worth filing any report or not.