X

Millions of financial records exposed on First American website, report says

The title insurance company didn't require a password to view the pages, according to security expert Brian Krebs.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
cybersecurity-hacking-8

Another day, another example of an organization leaking sensitive data through basic errors.

Graphic by Pixabay/Illustration by CNET

A website for a major title insurance company exposed hundreds of millions of records including bank account information, Social Security numbers, images of drivers' licenses and mortgage and tax records, security expert Brian Krebs found.

First American Financial, which serves as a neutral party to help finalize real estate transactions, left approximately 885 million exposed to anyone who had the correct URL, Krebs found. No password was needed, just a web browser. The information was secured on Friday, and it's unclear if fraudsters accessed or abused the data before it was taken down.

A real estate developer reportedly alerted Krebs to the problem after he noticed he could access sensitive documents on the First American website by altering the string of digits at the end of a URL. The earliest document identified was from 2003 and the data included records through 2019.

The flaw is another example of how organizations can leak sensitive data through basic errors. On Tuesday, Google revealed findings it had been inadvertently storing some user passwords in plaintext, eschewing the industry standard practice of encrypting login credentials. And on Wednesday, a researcher detailed to CNET how Instagram had been including personal contact information for users in its website's source code. The data wasn't private, but the coding error made it even easier for anyone to scrape the contact information and create a virtual phone book of Instagram users.

In a statement, First American said it fixed the problem.

"We are currently evaluating what effect, if any, this had on the security of customer information," the company said. "We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."

Originally published May 24, 4:01 p.m. PT.
Update, 4:46 p.m.: Adds comment from First American.

Watch this: A database with info on 80M+ US households was left open to the public