Major Japan property breach

A housing search can reveal more than your next apartment. A newly advertised database says records tied to six big Japanese property sites were bundled into a 2.78 gigabyte file with about 2.4 million lines and 976,824 unique email addresses, then offered for sale for €1,000. (dailydarkweb.net) The sites named in the listing were SUUMO, CHINTAI, At Home, HOME’S, O-uccino, and Chintai EX. In Japan, those services sit near the front door of the rental market, where people search by train line, neighborhood, rent, floor plan, and move-in date before they ever speak to an agent. (dailydarkweb.net) (homes.co.jp) The seller’s sample fields were not just login basics. The post claimed the data included names, email addresses, phone numbers, hashed passwords, physical addresses, age, gender, marital status, occupation, annual income, preferred station, desired move date, and notes about contact preferences. (dailydarkweb.net) That mix is what makes property data unusually sensitive. A real-estate profile can read like a moving checklist and a finance form taped together, because it links identity details to income bands, household status, and exactly where someone wants to live. (dailydarkweb.net) Japan’s privacy law now treats leaks at this scale as reportable. Article 26 of the Act on the Protection of Personal Information requires businesses to report leaks that are likely to harm individuals, and guidance says incidents involving more than 1,000 people trigger notice duties to the regulator and affected users. (japaneselawtranslation.go.jp) (dlapiperdataprotection.com) That matters because even if passwords were hashed, the rest of the file can still power scams. A criminal who knows your income range, target station, and intended move date can write a fake broker message that sounds close enough to real life to get a deposit, an ID scan, or a lease application. (dailydarkweb.net) The timing also lands next to a very different warning from the United States Cybersecurity and Infrastructure Security Agency. On April 7, 2026, the agency and five other U.S. bodies said Iranian-affiliated actors were actively exploiting internet-facing programmable logic controllers made by Rockwell Automation and causing operational disruption and financial loss in critical infrastructure. (cisa.gov) A programmable logic controller is the small industrial computer that opens a valve, starts a pump, or stops a conveyor belt. The advisory said attackers manipulated project files and altered what operators saw on human-machine interface and supervisory control screens, which is closer to grabbing the steering wheel than stealing a spreadsheet. (cisa.gov) The two incidents are different kinds of cyber risk, but they rhyme. One turns apartment-hunting data into a fraud kit for consumers, and the other turns exposed industrial gear into a way to disrupt water, energy, or government services. (dailydarkweb.net) (cisa.gov) For companies, the lesson is not abstract. The Cybersecurity and Infrastructure Security Agency told operators to pull programmable logic controllers off the public internet, while Japan’s privacy rules already require fast reporting when personal data leaks cross clear harm thresholds. (cisa.gov) (japaneselawtranslation.go.jp) For users of property sites, the practical risk is simpler. If a message about a viewing, deposit, guarantor form, or key handoff suddenly arrives with just enough personal detail to feel real, that detail may be exactly what was stolen. (dailydarkweb.net)