Cyber Incident Victim: Roomsurf
Date:
Jan 2018
Location:
United States of America
Summary
A commercial service facilitating roommate matching for college students experienced a data breach involving unauthorized access to user information. The compromised data included names, email addresses, phone numbers, and other personal details submitted by individuals during profile creation. The incident exposed sensitive information that could potentially be exploited for malicious purposes, though specific details regarding the attack vector or responsible parties remained unclear. The breach impacted users who had shared their data with the platform to connect with potential roommates, raising concerns about the security of personal information entrusted to such services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Roomsurf breach, first publicly disclosed in February 2018, involved unauthorized access to the platform's user data by malicious actors. Attackers compromised Roomsurf's systems around January 29, 2018, gaining access to sensitive personal information belonging to college students who used the service to find compatible roommates. Exposed data included names, email addresses, dates of birth, and other personally identifiable information stored within the platform's databases. The attackers subsequently attempted to extort the company by threatening to publicly release the stolen data unless Roomsurf paid a ransom demand. Evidence suggests the breach occurred through exploitation of security vulnerabilities in Roomsurf's infrastructure, though specific technical details about the intrusion vector weren't fully disclosed in public reports.
Roomsurf declined to meet the attackers' ransom demands, leading to the public release of stolen user data on online forums. Following the data leak, the company initiated an internal investigation to assess the breach's scope and impact on affected individuals. Security professionals were engaged to address vulnerabilities and implement enhanced protective measures for user information. Roomsurf notified impacted users about the compromise of their personal data, advising them to monitor for potential misuse of their information. The incident exposed thousands of student profiles to potential identity theft risks and damaged trust in the platform's ability to safeguard sensitive user data. No subsequent legal actions or regulatory penalties related to the breach were publicly reported following the containment efforts.