Cyber Incident Victim: Zillow Group

On or around February 8, 2019, an unidentified hacker compromised the Zillow listing for a luxury Bel Air, California mansion valued at $150 million. The property, featuring extensive amenities including 12 bedrooms, 21 bathrooms, and recreational facilities like a bowling alley and infinity pool, had its listing details altered through unauthorized access. The attacker used a falsified mobile phone number and a Chinese IP address to bypass Zillow’s ownership verification protocols, falsely claiming legitimate ownership of the property. Once access was obtained, the hacker manipulated the listing’s sales history to display fabricated prior sale prices reduced by up to $60 million compared to the genuine asking price. Additionally, the attacker scheduled a fraudulent open house event for February 8th on the compromised listing, further misleading potential buyers.

The property owners discovered the unauthorized changes and promptly demanded Zillow remove the falsified information. Despite these requests, Zillow failed to rectify the listing for over a week, leaving the inaccurate data publicly visible. This delay prompted the owners to file a $60 million lawsuit against Zillow, alleging damages from the platform’s inadequate security measures and delayed response. Zillow publicly defended its practices, asserting it employed “great lengths” to ensure listing accuracy but acknowledged shortcomings in its ownership verification system. The incident highlighted operational vulnerabilities in Zillow’s user authentication processes and raised concerns about the potential misuse of its platform to manipulate high-value real estate transactions. The lawsuit underscored the financial and reputational risks associated with the incident for both the property owners and Zillow.