Landlords Demand Tenants' Workplace Logins to Scrape Their Paystubs
Posted3 months agoActive3 months ago
404media.coTechstory
heatednegative
Debate
80/100
Data PrivacyCybersecurityRental Practices
Key topics
Data Privacy
Cybersecurity
Rental Practices
Landlords are demanding tenants' workplace login credentials to access their paystubs, raising concerns about data privacy and cybersecurity, with commenters expressing outrage and skepticism about the practice.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
49m
Peak period
4
12-14h
Avg / period
1.8
Comment distribution20 data points
Loading chart...
Based on 20 loaded comments
Key moments
- 01Story posted
Sep 29, 2025 at 5:43 PM EDT
3 months ago
Step 01 - 02First comment
Sep 29, 2025 at 6:31 PM EDT
49m after posting
Step 02 - 03Peak activity
4 comments in 12-14h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 30, 2025 at 11:02 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45419128Type: storyLast synced: 11/20/2025, 1:26:54 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
That practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
It's also quite (maddeningly) common for some websites to collect email service login credentials.
I can't recall exactly what it was, some verification service, maybe to verify my stated income
I think I provided pay stubs instead
When my niece was about 10, so let's call it 2005, she wanted to access some Barbie service. And I think it was the legit Barbie, mattel.com-affiliated website for children.
So she navigates there, and gets a login screen that wants her email credentials. Like from yahoo.com. I don't know why--to add her to a list or something? Was it an early "federated identity" login that I wasn't aware of?
And my jaw dropped open as I looked at what they were trying to do and I shouted "That's phishing! Don't ever do that!" and I force-closed all the windows and handed her over to her parents.
And looking back, I almost had a twinge of regret because I had come to find out that the Barbie service was not some Russian hacker but actually Barbie just asking to log in to her email, and it was totally normal for thousands of kids. So was I the bad uncle for stopping her in this regard?
Didn't we recently see where a landlord attempted to forge a lease document but was caught by the tenant?
Nobody wants to see your authentic ID/DL anymore. Just FAX it in or scan it. Nobody can examine your birth certificate or passport (except for real officials) but you need to scan and present it to all kinds of third parties. It absolutely destroys 80% of the countermeasures that are built in to those types of documents. Wrote a check from your checkbook? Your bank immediately photographs it and the image traverses their network, not the paper thing. They just shred that useless paper thing. The image is, for all intents and purposes, the negotiable document. Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
I've drawn a lot of public assistance from entitlements. They often require a stack of paperwork, like bank statements, paystubs. I usually ran Linux and had all the third-party PDF-manipulation tools. They would just accept screenshots from my banking apps! I could've easily forged anything, down to pixel level, or in the HTML itself, print to PDF, undetectable. No checksums or hashes to worry about!
So perhaps this headline is a symptom, a symptom of landlords being skeptical and wary of tenant-side forgeries, that they feel the need to grab the documents straight from the horse's mouth. I can't blame them for being risk-averse and wary of forgery, but this is crazy. Just... figure out a way to authenticate electronic documents. We cryptographers have worked this all out, but it's been ignored for reasons of cost and expedience. You can't ignore it anymore.
If I recall correctly, you can order checks from a check printing company with any account and routing number you specify. Walmart sells them, and it was cheaper than getting more from my bank. So even an authentic check with the security features intact doesn't seem worth much. The only real security feature is the signature.
I've received checks with watermarks, temp-sensitive ink, you name it, and I almost never walk into a branch anymore. As long as the mobile app works, the image is the negotiable instrument, and I can't change what others give me.
It seems that a third-party check printing service could run off checks for the attacker instead. The attacker would need to cover their tracks insofar as payment methods, and then intercept a package which would be mailed to my home address listed on the checks they ordered. That seems elaborate, but doable, if they want a whole stack of legitimate checks.
It is possible that there are even disreputable "security check" printers who aren't Walmart, but just counterfeiters in a 1BR, running off bogus checks for anyone who asks?
But who needs/wants a whole stack of them, anyway? It only takes one or two.
It is so strange, too, that we rarely hear of check fraud in the States. It would seem so easy, so is it widespread or rare?
Yes, people do earn their rightful reputations as truthful or two-faced, but in many contexts two-faced is considered default.
How is it possible to do anything, in that case?