This week, Cotality and FBS asked real estate professionals in about 15 different MLS markets to reset their passwords. There was no mention of the issue from ICE (Paragon) or Rapattoni or others – but you can bet your bottom dollar that everyone was impacted by this. To be clear, nobody was hacked, rather, nefarious people stole (or were given) the usernames and passwords to log into the MLS as an agent.
Cause of the problem: Agents were not protecting their passwords. MLSs made the choice not to require muti-factor authentication in their system. This had nothing to do with security or best practices at Cotality or FBS.
Let’s be honest, many agents probably overreacted to this inconvenience. A number of MLS help desks had a surge of calls. But let’s also put it into perspective: resetting a password isn’t exactly a monumental event in anyone’s life. Sure, it’s annoying, it takes a few minutes, and then you move on. Most importantly, you should not need to call a help desk to teach you how, or to complain that the same password you have used for the past 25 years needs to be reset. Real estate agents need to take security more seriously.
Dealing with this minor inconvenience is vastly better than dealing with a data breach or a system outage, which was not the case here. Real estate professionals frequently handle sensitive client data in the MLS behind a password, and unfortunately, the reality is that many agents aren’t exactly diligent about password management. Remember too, the MLS is not only your system. It is the system shared with all brokers in your market and the consumers we all serve. Simply put, if you can easily remember your password, or you use it in multiple software applications, it’s probably not secure enough.
It looks to me like this issue was caused by two things. First, agents exposed their passwords or reused passwords that were in some other security breach (probably Microsoft SharePoint). Secondly, MLSs choose not to deploy two-factor or Multi-factor Authentication for login.
Here is what Stellar MLS posted today: “Thanks to our proactive security protocols, most notably the recent implementation of multi-factor authentication (MFA), Stellar MLS customers were not impacted,” said Merri Jo Cowen, CEO.
In other words, Stellar made the right choice to force multifactor authentication and they were not impacted! Other MLSs should use this opportunity to make the same choice.
To keep your data—and your clients’ data—secure, here are some simple, practical tips:
-
- Use unique passwords: Don’t reuse the same password everywhere. Each service or platform deserves its own unique password.
- Choose strong passwords: Aim for at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. Avoid obvious choices like names, birthdays, or common words.
- Use a password manager: A good password manager securely stores all your passwords and can automatically create strong, random passwords for you.
- MLSs should Enable Multi-factor authentication: This adds an extra security layer by requiring two forms of verification to access your account. For example, after entering your password when logging into your bank account, you might receive a text message or email with a unique code that you also have to enter to complete the login.
- Change passwords regularly: Get into the habit of updating passwords every few months.
- Update your security policies: for employees, agents, and in your applications.
- Check your insurance coverage
The password reset last week might have disrupted your morning coffee or thrown off your daily routine, but it’s actually a best practice. Take this opportunity to tighten up your digital security, it might save you from much bigger headaches down the road.
Stay tuned for more practical cybersecurity tips for real estate professionals. Cyber Security month is in October. Brokers, MLSs, and tech vendors can save themselves a lot of grief by training agents on best practices with security.
Leave A Comment