A website for a major title insurance company exposed hundreds of millions of records including bank account information, Social Security numbers, images of drivers' licenses and mortgage and tax records, security expert Brian Krebs found.
First American Financial, which serves as a neutral party to help finalize real estate transactions, left approximately 885 million exposed to anyone who had the correct URL, Krebs found. No password was needed, just a web browser. The information was secured on Friday, and it's unclear if fraudsters accessed or abused the data before it was taken down.
A real estate developer reportedly alerted Krebs to the problem after he noticed he could access sensitive documents on the First American website by altering the string of digits at the end of a URL. The earliest document identified was from 2003 and the data included records through 2019.
The flaw is another example of how organizations can leak sensitive data through basic errors. On Tuesday,it had been inadvertently storing some user passwords in plaintext, eschewing the industry standard practice of encrypting login credentials. And on Wednesday, a researcher how Instagram had been including personal contact information for users in its website's source code. The data wasn't private, but the coding error made it even easier for anyone to scrape the contact information and create a virtual phone book of Instagram users.
In a statement, First American said it fixed the problem.
"We are currently evaluating what effect, if any, this had on the security of customer information," the company said. "We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."
Originally published May 24, 4:01 p.m. PT.
Update, 4:46 p.m.: Adds comment from First American.