News just received from security reporter Brian Krebs: Real estate insurance giant Fortune 500 First American exposed approximately 885 million confidential records due to a bug on its website.
Krebs reported that the company’s website stored and filtered bank account numbers, account statements, mortgage and tax records, Social Security numbers, and driver’s license images in an enumerable format, so anyone who knew one Valid web address for a document simply had to change the Address by one digit to view other documents, he said.
No authentication, such as a password or other checks, was required to prevent access to other documents.
According to the Krebs report, the oldest document was labeled “000000075,” with the newest documents increasing in numerical order, he said.
The data dates back to at least 2003, Krebs said.
“Many of the exposed files are electronic transaction records with bank account numbers and other information of buyers and sellers of homes or properties,” Krebs wrote. First American is one of the largest real estate title insurance giants in the US, with revenue of $ 5.8 billion in 2018.
A First American spokesperson did not immediately respond to a request for comment, but told Krebs that its web application had been closed and there would be “no further comment” until its review was completed.
Although the website did not work, many of the documents are still cached in search engines, a security researcher John Wethington told TechCrunch. We are not linking to the exposed data while the data is still readable.
It is the latest confidential mortgage data breach in recent months.
TechCrunch reported in January that a trove of more than 24 million financial and banking documents was inadvertently left exposed on a public cloud storage server for anyone to access. The data contained highly sensitive loan and mortgage agreements, payment plans, and other financial and tax documents that reveal an intimate view of a person’s financial life.