The newly constructed hilltop house is a knockout, even by Hollywood standards: 12 bedrooms, 21 baths, 38,000 square feet of interior space, 17,000 square feet of “entertainment decks,” three kitchens, five bars, fitness spa, four-lane bowling alley, basketball and tennis courts, wine cellars, and an 85-foot “glass-tile infinity pool,” to cite just some of the amenities. It is owned by a limited liability company controlled by Los Angeles luxury builder Bruce Makowsky.
The hijacking occurred when someone using a Chinese Internet protocol address and a made-up U.S. phone number managed to successfully claim “ownership” of the mansion on Zillow’s Zestimates page. Zillow, which displays pages on 110 million American homes — properties listed for sale and off the market — offers a feature that allows owners to amend descriptions of their homes on the site. The feature is heavily used by legitimate owners to modify information posted about their house — numbers of bedrooms and baths, for example, or a recent remodeling that affects the property’s market value. To successfully make such a claim, owners must answer questions designed to verify their identity.
In this case, according to the suit, hackers figured out how to get past Zillow’s security questions and began manipulating information on the site. They erroneously reported that the house sold for $110 million on Feb. 4, then for $90.5 million on Feb. 9 and $94.3 million Feb. 10. They also listed an open house for the property on Feb. 8, something that would be unusual in the rarefied world of super luxury homes, where showings tend to be exclusively by appointment.
The suit alleges that Zillow was negligent in allowing false and harmful information to be posted on the mansion’s page, despite repeated requests for “over a week” from the seller’s lawyers to pull the plug on the hackers. Zillow does not have adequate “safeguards in place to prevent Internet trolls, criminals” and others “to commit illegal acts” by “logging into their system to post the false information,” the suit alleges.
Asked for comment, Kate Downen, a Zillow spokeswoman, said that “while we don’t discuss pending litigation, I can tell you that [the company] goes to great lengths to display current and accurate data.” Downen added that Zillow is “in the process of updating” the verification system for access to owner pages on the Zestimate site.
In an exhibit accompanying the complaint, attorneys for the owner included a copy of an email from Kim Nielsen, senior lead counsel for Zillow Group, in which she says, “Unfortunately if someone is able to provide responses to the verification questions, they are able to claim the home . . . we do not manually check each time someone attempts to claim a home.” The complaint also quotes Nielsen as saying that “any home on our website can be claimed by the homeowner. There are a series of questions . . . but if someone attempts to claim [the property] enough times, they will know the questions asked and be able to figure out what information they need to verify their identity.”
Ronald Richards, the seller’s attorney, asked “How is it that someone with a fake phone number (bad area code) and Chinese IP address and email can hijack [a] $150 million house?” In an interview, Richards said “it’s impossible to have a site” like the Zestimate owner-claim page if effectively there are “no security protections.”
So what should homeowners whose house is listed on Zillow make of this suit? Even if your home is not a dazzling palazzo on a hill, the secret is out: Though it’s highly unlikely, your Zillow page can be hacked and stolen by online troublemakers. Until Zillow announces verification reforms, it’s probably worth checking your Zestimate page now and then.
(To view the Bel Air property, here is a link: http://tinyurl.com/ycx8nyz3)
Ken Harney’s email address is firstname.lastname@example.org.