Construction escrow company leaks sensitive data online

Chris Vickery is at it again!

Three Lock Box, a construction escrow company out of Las Vegas, was accidentally leaking information on 90 accounts that held millions of dollars. reports that researcher Chris Vickery found the misconfigured database and reported it to the company immediately.  Vickery found that if anyone reset their password, the new passwords would not be hashed but would be left in clear text! The company assured Vickery that the database problem would be shored up, but later that day Vickery discovered that it had not been fixed.  He contacted the owner at home at 2am, and the problem was fixed 20 minutes later.

“I am incensed that they had all day to put some sort of authentication on it, but failed to do so,” Chris told

Three Lock Box owner, Noah Allison informed Vickery that no money would be going in and out of the site at that hour, but Vickery explained to him that there was more at risk. reports that “the keys to the admin kingdom, all of his client contact details, all the contract documents, w-9 filings, bank account numbers, routing numbers, and many plaintext passwords of his clients were all up for grabs.”

“The shortened Christmas Eve workday added to the challenge of reaching someone who was qualified and available,” Shuli Cheng, IT Manager told “After  many  phone calls and work sessions, we successfully configured two layers of security by 3:00am PST. A faster turnaround time would have been more desirable.”

Vickery seems to be on a one-man mission to catch all leaky databases.  He was just in the news for finding the Alliance Health breach, and the MacKeeper breach. He was also the one who discovered the HZone data breach last week.  That breach included leaked information of around 5,000 people who were using an HIV-positive dating app.  It also led to the company threatening the admin of  The breach discovery was similar to the Hello Kitty discovery that he also found. That particular breach affected 3.3 million people, mostly teens and children.

For information on how you can prevent your organization from being breached, visit or call 714-515-4011.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *