Hundreds of millions of US homes are listed on the website of Zillow. And it’s not just the ones that are for sale.
You can look up just about any house, and you’ll be served up a plethora of information regarding when it was built, its square footage, how many bedrooms and bathrooms it has, what the parking is like, and so forth… You’ll even be shown a streetside picture of the property (courtesy of Google Maps) and details of how much it last sold for.
And you’ll also be given an estimate (called a “zestimate” in Zillow-speak) of what the property is currently worth.
Zillow includes a disclaimer on its site that “zestimates” are not professional appraisals. They don’t walk around your house – it’s just a computer algorithm based upon recent sales prices for similar properties in the area.
Zillow doesn’t know that you installed a new kitchen, have a fibreglass shark poking out of your roof, or ripped up the stinky carpet in the downstairs loo and replaced it with some tiles, unless *you* claim ownership of your Zillow entry and add that information.
Zillow, meanwhile, will determine what it believes is a reasonable “zestimate” of your house’s property through an algorithm which looks at how much other similar houses sold for in your area, and other factors.
The danger of course is that many buyers will give “zestimates” as much weight as a professional valuation and use them for leverage to knock down the purchase price on the properties. In short, purchasers love Zillow and sellers aren’t so keen.
Amongst those sellers who aren’t so keen are the owners of this hill-top mansion overlooking the Pacific Ocean.
The property, in Bel Air, California, has 12 bedrooms, 21 bathrooms, 38,000 square feet of interior space, three kitchens, five bars, a fitness bar, a four lane bowling alley, a basketball court, a tennis court, wine cellars, an 85-foot infinity pool, and was that a helipad I saw? All this could be yours for a measly $150 million.
However, last month, a hacker managed to gain access to the property’s Zillow listing page, and updated its information.
Using a fake mobile phone number and a Chinese IP address they were able to waltz past Zillow’s security questions – successfully convincing the site that they were the genuine owner. And what did they do with all that power? They posted a history of recent (bogus) sales for the property for up to $60 million *less* than the genuine owner is asking.
The hacker even announced on the listing that there would be an open house on Feb 8th if any oiks wanted to have a look around.
Quite why anyone would want to hijack the listing is anybody’s guest, but it certainly got the attention of the property’s true owners who instructed their lawyers to get Zillow to pull down the bogus information, but over a week later had still done nothing.
Zillow defended itself saying that it went to “great lengths” to ensure that only public and accurate information was posted on its website, but clearly their owner verification system simply isn’t up to scratch.
And now the owners of the Bel Air property have reportedly launched a $60 million lawsuit.
You can hear more discussion on the ins-and-outs of this case on the latest “Smashing Security” podcast.
Smashing Security #119: 'Hijacked homes, porn passports, and ransomware regret'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Zillow sued for $60 million after mansion listing hijacked”
15 bedrooms, 21 bathrooms, 5 bars? And nothing there about electrified fences, security gates, watchtowers, armed guards, compounds for the attack dogs, bodyguard accommodation? Must have been a disgruntled buyer then, obviously factoring in the cost of providing all those necessities.