A website for a major title insurance company exposed hundreds of millions of records including bank account information, Social Security numbers, images of drivers’ licenses and mortgage and tax records, security expert Brian Krebs found.
First American Financial, which serves as a neutral party to help finalize real estate transactions, left approximately 885 million exposed to anyone who had the correct URL, Krebs found. No password was needed, just a web browser.
The information was secured on Friday, and it’s unclear if fraudsters accessed or abused the data before it was taken down.
A real estate developer reportedly alerted Krebs to the problem after he noticed he could access sensitive documents on the First American website by altering the string of digits at the end of a URL. The earliest document identified was from 2003 and the data included records through 2019.
In a statement, First American said it fixed the problem.
“We are currently evaluating what effect, if any, this had on the security of customer information,” the company said. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
The flaw is another example of how organizations can leak sensitive data through basic errors. On Tuesday, Google revealed findings it had been inadvertently storing some user passwords in plaintext, eschewing the industry standard practice of encrypting login credentials.
And on Wednesday, a researcher detailed how Instagram had been including personal contact information for users in its website’s source code.
- Police arraigns teenager for murder in Ekiti - July 13, 2020
- Fresh evidence suggests airborne transmission of COVID-19 —NCDC - July 13, 2020
- Niger Assembly summons COVID-19 task force to explain activities, expenditure - July 13, 2020