A security flaw in the website of First American Financial Corp., a Fortune 500 real estate title insurance firm, has exposed over 885 million private and confidential customer records dating back to 2003.
Discovered by a real estate developer who contacted KrebsOnSecurity, the data exposure related to how documents store by First American on their website could be accessed. Using a link generated by a search, anyone could change the number in the search to bring up other documents all of which were not secured.
Those documents are not only staggering in their number but the personal details they included. Those details included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers and photos of driver’s licenses.
The exposed data was quickly taken down with First American admitting to the security breach, describing it as a “design defect in an application that made possible unauthorized access to customer data.”
The company did not say whether the data had or hadn’t been accessed by nefarious actors, noting only that it had hired an outside forensic firm to find out whether data had been stolen.
Jon Bottarini, hacker and lead federal technical programs manager at HackerOne Inc. told SiliconANGLE that the data breach related to an Insecure Direct Object Reference vulnerability as “the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number.”
“Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time,” Bottarini said. “What’s interesting is that since a large majority of lenders use First American, it is highly possible that some of the recent scams regarding escrow fraud could be related to this breach in particular.”
“Escrow fraud works by depending on both naivité and speed as it relies on fake email accounts to execute the scam,” Bottarina explained. “Fraudsters do this by hacking into a title company’s system to retrieve emails and information about upcoming home purchases. If a scammer had access and decided to exploit this vulnerability, in particular, it would save a ton of time and effort and make this scam very easy to pull off because they would have all the Personal Identifiable Information necessary without having to hack into each individual title company.”
Noting that the developer who provided the details to KrebsOnSecurity only did so after reaching out to First American with no success, Marten Mickos, chief executive officer added that the news should be a lesson for other companies, in that “it’s important for companies, especially those dealing with mounds of sensitive personal data, to have a public-facing way to report bugs and vulnerabilities.”
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.