Berkeley's Rental Registry Left 60,000 Renters Exposed
A 2024 bug in Berkeley's 3Di rent registry exposed 60,000 renters' data for 138 days. Pasadena uses the same platform and reversed its data policy.
Alex Forman didn’t need specialized tools. He opened a browser, pulled up Berkeley’s public rental registry website, and clicked into the network inspector the way any developer would when looking at how a page loads. What came back in the traffic panel wasn’t just rendering data. It was a complete tenant roster: full names, email addresses, phone numbers, and Section 8 housing assistance status for every renter registered in the city. All 60,000 of them. Forman, a 20-year-old former engineering student who lived in Berkeley, spent a moment making sure he understood what he was looking at. Then he alerted the city.
The date was September 4, 2024. The vulnerability, it turned out, had been sitting in the open for 138 days.
What happened
On April 20, 2024, a routine software update from 3Di Systems, the company that built and maintains Berkeley’s rental registry, introduced a flaw that silently exposed the tenant data to anyone who knew to look in the right browser tab. The city said it fixed the issue the day after Forman reported it. In the meantime, 3Di’s code had been broadcasting sensitive records since spring.
Berkeley’s rent registry was built by 3Di in 2021 as part of the city’s rent stabilization infrastructure. Registries of this type have become standard in California cities that have passed rent control: landlords register their units annually and submit data about their properties, giving rent boards visibility into the market and a mechanism to enforce compliance. That infrastructure serves a real purpose. Pasadena’s registry, for instance, collects the maximum lawful rent and actual rent charged for each unit, the beginning and end dates of all tenancies, and at various points tenant contact details that Pasadena’s own rent department later acknowledged weren’t necessary. Berkeley’s held similar fields, and added Section 8 status.
The combination creates a detailed portrait of who lives where, at what price, and how long they’ve been there. Every city that runs a registry is managing that portrait on behalf of a commercial software vendor, with security practices that residents have no direct way to assess or audit.
Berkeley says it consulted its legal team to determine whether reporting to law enforcement was required. No public enforcement action followed, and the exposure produced no disclosed list of who, if anyone, had accessed the records. 3Di Systems delivers rental property registry software to jurisdictions across California, including Berkeley, Pasadena, and Los Angeles County.
The real problem wasn’t the bug
The most dangerous thing in Berkeley’s rent registry wasn’t the flaw 3Di’s update introduced. It was the Section 8 status field.
In California, housing providers are prohibited under the Fair Employment and Housing Act from refusing to rent to someone because they use a housing voucher. The law exists precisely because Section 8 recipients have historically faced discriminatory denial. Knowing which tenants in a building hold vouchers doesn’t make discrimination legal, but it does make it easier to target, easier to disguise as something else, and harder to prove in court. A registry that holds that field, and holds it in a system that spent 138 days leaking it to anyone who opened a browser, isn’t just a data-quality problem. It’s a selective vulnerability: the people most likely to be harmed by the exposure are the people the registry was supposed to protect.
That’s the pattern that makes rent registry security more than a technical question. These systems are designed as instruments of tenant protection. They emerged from decades of organizing, ballot measures, and legal fights to give tenants recourse against illegal rent increases. But their implementation, handed off to commercial SaaS vendors building on low-code platforms, turns that protection infrastructure into something else: a managed inventory of everyone renting in the city, with contact details, vulnerable status flags, and tenancy histories, stored in a vendor’s cloud environment and secured to whatever standard the vendor’s engineers happened to apply to a routine April update.
Pasadena was watching
When Berkeley’s breach became publicly known, the Pasadena Housing Providers (PHP), a landlord advocacy organization, wrote about it on their website under the headline “Rent Registry Data Breach.” The reason was direct: Pasadena uses the same 3Di software, under a contract the Pasadena Rental Housing Board approved for $269,000, to run the city’s own rental registry under Measure H, the rent control charter amendment Pasadena voters passed in November 2022.
PHP had been pushing for months to limit what Pasadena’s Rent Stabilization Department collected through the registry. Their January 2026 update ran under the headline “Protect Tenant Privacy From Rent Department Overreach.” The framing was strategic: a landlord group deploying the language of tenant privacy to argue against a tenant-protective enforcement body. Whether the framing was cynical or not, the underlying concern was real. By November 2025, the Rent Stabilization Department had publicly acknowledged that some of the tenant data it had been gathering “wasn’t necessary.”
On April 17, 2026, the Pasadena Rental Housing Board voted to reverse course on its tenant privacy policy, following what Pasadena Now described as months of landlord pushback. PHP marked the next day with a post titled “Victory on Tenant Privacy.”
What this means for renters
The outcome in Pasadena is genuinely complicated. A registry that collects less tenant personal data holds less data that can leak. That’s a concrete benefit. If Pasadena’s 3Di system develops a flaw similar to Berkeley’s, a trimmed-down registry exposes fewer details about fewer people. On that narrow axis, the board’s reversal protects renters.
But the campaign that produced the reversal is the same campaign filing a March 2026 ballot measure to restructure the Rental Housing Board itself, merge the Rent Stabilization Department into the city’s Housing Department, and cap registration fees. The landlord group’s goals don’t stop at data minimization. The privacy argument was one lever among several.
Renters in any city with a mandatory registry have no practical way to review what’s stored about them, correct inaccuracies, or opt out of specific data fields. They depend entirely on the board and the vendor to make sound decisions. The Berkeley breach shows what happens when the vendor doesn’t, and the Pasadena sequence shows how quickly those decisions can be reshaped by organized political pressure. Those two facts, sitting next to each other, describe a privacy situation that doesn’t resolve neatly.
For renters who handle sensitive documents at the other end of the rental process, it’s worth noting that lease signing and rental applications often travel across a parallel set of third-party platforms. Tools that let you sign a lease locally without uploading it to a cloud service, or sign rental agreements using client-side PDF signing like Signegy, macOS Preview, or OpenSign, address a different layer of the same structural issue: the more personal data you can keep off external servers, the less you’re relying on a vendor’s update discipline.
What comes next
Berkeley never publicly disclosed whether anyone accessed the exposed registry data during the 138 days it was open. The city determined it didn’t need to report the incident to law enforcement, a conclusion that has drawn criticism given that the exposed records included housing voucher status. 3Di Systems continues to operate rental registries across California, and its platform has expanded to Los Angeles County.
Other cities are building registries now, some for the first time, as rent stabilization legislation spreads. Most are selecting commercial vendors through ordinary procurement processes, without public scrutiny of security architecture. The question of what data those registries genuinely need to function, and how it should be secured when it lives on a vendor’s platform, hasn’t produced much policy beyond individual boards responding to individual controversies. Pasadena’s vote was driven by pressure, not by a coherent standard.
What Alex Forman found with a browser’s inspect panel could be found in any of these systems by anyone paying attention. Most renters in Pasadena, Berkeley, or any other city with a 3Di-powered registry won’t know what their board decides to collect, or how that decision gets made, until something leaks. Whether cities and their vendors are paying the right kind of attention is a question most rental registries still don’t answer clearly.