Australian platforms used by real estate agents to upload documentation for renters and landlords are leaving people’s personal information exposed in hyperlinks accessible online.

An analysis of seven rent platforms provided to Guardian Australia by a researcher, who wished to remain anonymous, revealed millions of leasing documents could be accessed by threat actors.

_{Sign up: AU Breaking News email}

Real estate agents manage sensitive tenant and landlord data on a daily basis, including lease agreements, identification documents, payslips and personal references. Online platforms enable agents to store these documents in the cloud and make them accessible via hyperlinks.

The researcher found these links can be scanned by web crawlers and cached.

Guardian Australia has seen six examples of rental agreements, employer and personal references, and other documents available online. While the links were obscured through randomised characters, they did not require a log-in to view them.

The researcher identified that the underlying platform used by rental companies makes it easy to access documents by simply adding or subtracting a number on the URL real estate companies send to prospective tenants.

The researcher said the documents date back to 2017, with the first invite code being 1, and now reaching 4m.

In another case, the researcher was able to access a lease agreement due to one platform’s use of URL shorteners, which make the URLs easier to guess. Once the lease was accessed, the platform provided an authentication cookie, giving access to the landlord’s entire rental history, maintenance and other documents.

Inspection Express, one platform that was identified as allowing access to hyperlinks without requiring authentication, said it had undertaken a review of how its documents links are accessed and shared. It said this month it had upgraded its security, after the researcher reported the issue directly to the company last year.

“Inspection Express does not make customer documents publicly discoverable or indexable by Google or other search engines,” a spokesperson said. “Documents are accessed via controlled links and are not published to the open web by our platform, and our review did not identify any open web discovery.

“The enhancements include document links that automatically expire after a limited number of accesses or a defined time window, along with additional restrictions on link sharing and copying. Intended recipients can securely request a new link if required.”

Another platform the researcher identified has put in an additional security measure requiring the user to enter their postcode before accessing the document.

A number of platforms in the research did not respond to requests for comment, and did not respond to the researcher.

Samantha Floreani, a digital rights advocate and PhD candidate analysing rental tech, said the research showed a very serious lack of care for privacy and security in the industry.

“It is appalling that months after being notified of these vulnerabilities, most companies have done nothing,” she said. “This is a blatant and disturbing disregard for the law and for people’s security.

“While these companies turn a profit by inserting themselves as intermediaries between renters, agents and landlords and collecting vast quantities of data, the benefits to renters are questionable at best.”

Floreani said left unchecked the companies are putting an enormous number of Australians at risk.

“Renters have very little power to refuse to use these systems because saying no can lead to retaliation, a bad reference, or just missing out on a home altogether,” she said.

“To have no real choice but to use these platforms in order to access and retain housing, then to have the information you are forced to hand over left unprotected, adds insult to injury in an already deeply dehumanising system.”

A spokesperson for the Office of the Australian Information Commissioner said the agency had received no notifications from the platforms regarding potential data breaches.

The spokesperson said the increasing demands from rental and property companies for people to hand over their personal information to rent tech apps is a “key priority” for the OAIC this year.

“It is a sector that creates power and information imbalances, and [the OAIC] is currently scrutinising rent tech platforms,” the spokesperson said.