Australian real estate agents are using digital platforms that leave millions of sensitive tenant and landlord documents vulnerable to unauthorised access through unprotected hyperlinks, according to research provided to Guardian Australia by an anonymous digital researcher. The analysis of seven rental platforms revealed that lease agreements, identification documents, payslips, and personal references dating back to 2017 can be accessed by threat actors through easily guessable URLs and web crawler-accessible links that require no authentication. The researcher discovered that one platform’s sequential numbering system, which has grown from invitation code 1 to over 4 million, allows documents to be accessed simply by incrementing or decrementing numbers in the URL, while another platform’s use of URL shorteners inadvertently provided authentication cookies granting access to entire rental histories and maintenance records.
Inspection Express, one of the platforms identified in the research, confirmed it had upgraded its security measures after the researcher reported the vulnerabilities directly to the company last year, implementing features such as automatically expiring document links after limited accesses or defined time windows along with additional restrictions on link sharing and copying. Another platform responded by adding a postcode verification requirement before granting document access. However, digital rights advocates criticised the industry’s response, stating that most companies did nothing despite being notified months earlier, calling it a blatant disregard for privacy laws and people’s security while these intermediary platforms profit from collecting vast quantities of data with questionable benefits to renters.
The security failures highlight the power imbalance inherent in Australia’s rental market, where tenants have little ability to refuse using these platforms without risking retaliation, negative references, or losing housing opportunities altogether. The Office of the Australian Information Commissioner confirmed it had received no breach notifications from the affected platforms despite the severity of the vulnerabilities, but stated that increasing demands from rental and property companies for personal information through rent tech apps is a key priority for 2026. The agency acknowledged that the rental technology sector creates significant power and information imbalances and announced it is currently scrutinising these platforms as part of its oversight efforts.