What may be the first-ever hijacking of an active real-estate listing online – a palatial mansion overlooking the Pacific Ocean in Bel Air, California – has led to a lawsuit seeking $60 million in damages against home-sale marketing company Zillow.
One or more hackers seized control of the mansion’s listing page on Zillow’s popular Zestimates site in February, causing it to display a series of bogus sales that were tens of millions of dollars below the $150 million asking price, according to the complaint filed in federal district court in Los Angeles. The net effect was to inflict financial damage on the seller by “corrupt[ing] the listing price dramatically,” according to the complaint, making it more difficult to obtain anywhere near the price the seller is seeking.
Hackers Used Chinese IP Address
The newly constructed hilltop house is a knockout, even by Hollywood standards: 12 bedrooms, 21 baths, 38,000 square feet of interior space, 17,000 square feet of “entertainment decks,” three kitchens, five bars, fitness spa, four-lane bowling alley, basketball and tennis courts, wine cellars and an 85-foot “glass-tile infinity pool,” to cite just some of the amenities. It is owned by a limited liability company controlled by Los Angeles luxury builder Bruce Makowsky.
The hijacking occurred when someone using a Chinese IP address and a made-up U.S. phone number managed to successfully claim “ownership“ of the mansion on Zillow’s Zestimates page. Zillow, which displays pages on 110 million American homes for sale and off the market, offers a feature that allows owners to amend descriptions of their homes on the site. The feature is heavily used by legitimate owners to modify information posted about their house – numbers of bedrooms and baths, for example, or a recent remodeling that affects the property’s market value. To successfully make such a claim, owners must answer questions designed to verify their identity.
In this case, according to the suit, hackers figured out how to get past Zillow’s security questions and began manipulating information on the site. They erroneously reported that the house sold for $110 million on Feb. 4, then for $90.5 million on Feb. 9 and $94.3 million Feb. 10. They also listed an open house for the property on Feb. 8, something that would be unusual in the rarified world of super luxury homes, where showings tend to be exclusively by appointment.
Overcoming Zillow’s Security Measures
The suit alleges that Zillow was negligent in allowing false and harmful information to be posted on the mansion’s page, despite repeated requests for “over a week” from the seller’s lawyers to pull the plug on the hackers. Zillow does not have adequate “safeguards in place to prevent internet trolls, criminals” and others “to commit illegal acts” by “logging into their system to post the false information,” the suit alleges.
“While we don’t discuss pending litigation, I can tell you that [the company] goes to great lengths to display current and accurate data,” Zillow spokesperson Kate Downen said in a statement, adding Zillow is “in the process of updating” the verification system for access to owner pages on the Zestimate site.
In an exhibit accompanying the complaint, attorneys for the owner included a copy of an email from Kim Nielsen, senior lead counsel for Zillow Group Inc.
“Unfortunately, if someone is able to provide responses to the verification questions, they are able to claim the home … we do not manually check each time someone attempts to claim a home,” the email said.
“Any home on our website can be claimed by the homeowner. There are a series of questions … but if someone attempts to claim [the property] enough times, they will know the questions asked and be able to figure out what information they need to verify their identity,” the complaint quotes Nielsen as saying.
“How is it that someone with a fake phone number (bad area code) and Chinese IP address and email can hijack [a] $150 million house,” said Ronald Richards, the seller’s attorney.
In an interview, Richards said “it’s impossible to have a site” like the Zestimate owner-claim page if effectively there are “no security protections.”
What should homeowners whose houses are listed on Zillow make of this suit? Even if your home is not a dazzling palazzo on a hill, the secret is out: Though it’s highly unlikely, your Zillow page can be hacked and stolen by online troublemakers. Until Zillow announces verification reforms, it’s probably worth checking your Zestimate page now and then.
Ken Harney’s email address is harneycolumn@gmail.com.