R
edfin’s website suffered a brief security lapse that exposed personal details of previous visitors to anyone who opened a property listing. For less than a week, the platform’s contact form would auto‑populate with a former user’s name, e‑mail, and phone number. The data appeared only while the form was visible, but if a user disabled JavaScript, the information stayed on the page. The flaw was discovered by The Intercept, prompting Redfin to alter the desktop form immediately; the mobile version remained vulnerable until a later update.

    According to a Redfin spokesperson, the issue was identified and remediated within a week. The company’s privacy policy allows sharing of private data, yet the contact form lacks a disclosure that a visitor’s details could be exposed to others. The Intercept verified that the exposed emails and numbers belong to real people, not test accounts, and noted that a malicious actor could harvest many records by repeatedly visiting listings.

    Redfin, a leading brokerage that pioneered map‑based listings, serves about 50 million monthly users. While the vulnerability only displayed one user’s information at a time, repeated visits could have enabled bulk data collection. Redfin did not comment on whether the flaw was exploited.

    The incident highlights the ongoing challenge of protecting user data on web services. The company’s quick response mitigated the risk, but the lack of a clear privacy notice in the contact form remains a concern.