News just in from security reporter Brian Krebs: Fortune 500 real estate insurance giant First American exposed approximately 885 million sensitive records because of a bug in its website.
Krebs reported that the company’s website was storing and leaking bank account numbers, statements, mortgage and tax records, and Social Security numbers and driving license images in an enumerable format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said.
There was no authentication required — such as a password or other checks — to prevent access to other documents.
According to Krebs’ report, the earliest document was labeled “000000075” — with newer documents increasing in numerical order, he said.
The data goes back at least to 2003, said Krebs.
“Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers,” wrote Krebs. First American is one of the largest real estate title insurance giants in the U.S., earning $5.8 billion in revenue in 2018.
A spokesperson for First American did not immediately respond to a request for comment but told Krebs that its web application was shut down and that there would be “no further comment” until its review was complete.
Although the website was down many of the documents are still cached in search engines, security researcher John Wethington told TechCrunch. We’re not linking to the exposed data while the data is still readable.
It’s the latest breach of sensitive mortgage data in recent months.
TechCrunch exclusively reported in January a trove of more than 24 million financial and banking documents were left inadvertently exposed on a public cloud storage server for anyone to access. The data contained loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.