Security experts are warning real estate professionals to take steps to beef up their security after a number of accounts were accessed at some of the nation’s largest multiple listing service platforms used to send phishing emails.
The compromised access hit multiple listing service software providers FlexMLS and Matrix, the latter of which is created and managed by Cotality, the company formerly known as CoreLogic.
Cotality’s Matrix markets itself as the largest MLS platform in North America, with an estimated one million end users and agreements with over 110 local MLSs.
“Although the issue involved only a small fraction of the more than 110 MLS organizations we serve, out of an abundance of caution, we have required all Matrix clients to initiate immediate, mandatory password resets for all of their users,” Cotality said in a statement. “We continue to follow up with them to ensure their compliance with this important safety measure.”
Matrix required all of its users to reset their passwords this week. Multiple listing services using Matrix include CRMLS — the nation’s largest — along with other major players like Stellar, Bright MLS, FMLS and others.
Steve Mapes, chief revenue officer for First Multiple Listing Service (FMLS), told Inman all 57,000 members of FMLS were notified on Monday night that they’d have to reset their passwords by midnight the next day.
In a statement, a representative from Cotality said the company continued investigating the matter, though the company said the bad actors gained access using information obtained outside of Cotality.
“So far there is no evidence of any data from the Matrix application or any other Cotality system being compromised. The majority of the malicious emails also appear to have been sent to email addresses outside the U.S. with no connection to Cotality, our MLS clients, or their individual member agents,” the company said. “We look forward to sharing appropriate learnings with our customers as our investigation unfolds and the steps we are taking to prevent any similar incidents in the future.”
FlexMLS, which boasts 334,000 members, alerted MLSs of compromised access of its platform on July 17, according to an email reviewed by Inman.
“The attackers appear to be using credentials that are valid — meaning the username and password combinations are correct, and in some cases clearly old. Based on our analysis, these credentials were likely obtained outside of our systems, such as through data breaches unrelated to our platform or through phishing campaigns.”
FlexMLS told customers the attack was “coordinated in nature and not random,” and emphasized that the login credentials were obtained outside of the FlexMLS platform.
“Our internal systems have not been breached — we have found no evidence of unauthorized access to our databases or infrastructure,” FlexMLS told members.
Other MLS platforms like Paragon didn’t respond to a request for comment about whether they were impacted by similar events.
Experts urge caution
The latest security issues were more minor than one that took out nearly two dozen MLSs in August 2023, after a cyberattack targeted the MLS platform provider Rapattoni.
That outage crippled the day-to-day operations of thousands of real estate agents across the country for nearly two weeks before functions were fully restored.
Still, security experts in real estate said the latest security issue was yet another reminder that agents should take precautions to protect themselves and their clients.
“It’s not this giant number of 10,000 accounts that got leaked or hacked into. It’s a much much lower number,” said Eric Stegemann, CEO of Solid Earth, a MLS identity management and security platform. “In terms of the distribution, it’s not very big. But in terms of the impact, it’s very, very big.”
“MLS emails are vital to agent communication day to day by MLS users. Agents send out real-time saved search alerts to clients,” Stegemann said. “If I was an MLS platform, I’d be very worried about the impact on the validity of these communications, too.”
Keith Jones, head of MLS for the San Antonio Board of Realtors, said the issues appeared to be related to a cyberattack on Microsoft earlier this month.
He said his organization had already taken steps to beef up security through measures like passkey authentication for members to log in.
“We have to put these measures in place because you don’t ever want to get caught like people are getting caught,” Jones said. “It’s unfortunate, but it happens.”
All of BeachesMLS’s 41,000 members were also required to reset their passwords as a result of the Matrix event, according to Dionna Hall, CEO of Florida’s Broward, Palm Beaches and St. Lucie Realtors and BeachesMLS.
Hall said Cotality was scheduled to host a webinar with members on Thursday with updates on the situation.
In the meantime, Stegemann urged agents to take steps to protect themselves.
“This is a great opportunity to … turn on passkeys or other two-factor authentication to make sure their clients’ information stays safe and that something like this doesn’t happen to them in the future,” he said.
Editor’s note: Citing statements provided by a Cotality representative, Inman initially described this event as a “data breach.” However, the companies involved and independent experts later clarified that a more accurate term would be “compromised access” to a limited number of accounts.
