Brian Krebs has revealed that a company that primarily works in real estate insurance has left as many as 885 million records exposed on its website – dating back to 2003. The First American Financial Corps big mistake should have been obvious to anyone who would Having given a second believed in security. If you had the URL for any document on its website, you can simply add or subtract one number to the URL to access another document.
Given the type of business this company is in, these records contain incredibly private information. Krebs spoke to Ben Shoval, who brought the exposure to his attention, saying that the documents potentially included "Social Security numbers, driver's licenses, bank statements, and even internal business documents if you're a small business."
As of today, the company has closed the hole in its website security. Right now, we can't know if anyone actually exploited this vulnerability. Contrary to how these types of data exposure information usually go, First American Financial does not even tell that it has no evidence that the records were being opened. In a statement to Krebs, here's what it said (the weight below is ours):
First American has learned from a design error in a program that allowed unauthorized access to customer data. At First American, security, privacy, and confidentiality are top priorities, and we are committed to protecting customer information. The company took immediate action to resolve the situation and terminate external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will not have further comments before our internal review is completed .
Many private data are actually available behind non-password protected URLs, but they are still kept relatively safe because their URLs are complex and unguessable. For example, Google Photos shares photos this way. But even if you give it a good practice for First American Financial to make documents available without a password, it's still incredibly brief to make those URLs so easy to guess.
We've come out to First American Financial for further comment, but right now it's unclear what steps people can take to check if their data is leaked. For more information on the exposure, see Krebs on Security .