Latest in Gear

Image credit: NicoElNino via Getty Images

First American security flaw leaked 885 million real estate documents

The documents include sensitive data, such as Social Security numbers and bank information.
560 Shares
Share
Tweet
Share
Save

Sponsored Links

NicoElNino via Getty Images

First American Financial Corporation left as many as 885 million real estate documents dating as far back as 2003 exposed, according to Krebs on Security. The company, one of the largest real estate title insurance firms in the US, has already fixed the vulnerability as of Friday afternoon after the security researcher notified it of the flaw. Before the patch rolled out, however, anybody armed with a link to one of the documents hosted on its website could simply change a single digit in the URL to access somebody else's files. The documents didn't require a password or any kind of authentication.

Due to the nature of its business, those files include a variety of sensitive information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. Ben Shoval, the real estate developer who discovered the vulnerability and who told Krebs about the issue, also said that small business clients might've even given First American access to internal documents.

After Shoval contacted Krebs about the issue earlier this week, the security researcher confirmed that the company's website was returning documents simply by changing digits in the URL. First American ultimately switched off the part of its website that served those files by around 2PM on May 24th. Krebs clarified however, that he has no information suggesting the exposed files were harvested. It's also unclear when the vulnerability first showed up, though Krebs discovered that it's been around since at least March 2017 after taking a dive into archive.org.

Best scenario is that no bad actor paid attention to the company's website, because those documents could be mined for sensitive data to sell in the dark web and could be used for convincing phishing schemes. A spokesperson told the researcher that the real estate giant is currently determining if the flaw affected its customer information in any way (emphasis ours):

"First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
560 Shares
Share
Tweet
Share
Save

Popular on Engadget

Google is ending support for the Explorer Edition of Glass

Google is ending support for the Explorer Edition of Glass

View
Despite the HQ2 debacle, Amazon will add office space in Manhattan

Despite the HQ2 debacle, Amazon will add office space in Manhattan

View
Apple plans software fix for 16-inch MacBook Pro 'speaker popping'

Apple plans software fix for 16-inch MacBook Pro 'speaker popping'

View
Elon Musk wins defamation trial over ‘pedo’ remarks

Elon Musk wins defamation trial over ‘pedo’ remarks

View
‘Reno 911!’ is coming back as a Quibi exclusive

‘Reno 911!’ is coming back as a Quibi exclusive

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr