Brian Krebs has revealed that a company that primarily works in real estate insurance has left as many as 885 million records exposed on its website — going back to 2003. First American Financial Corp’s big mistake should have been obvious to anybody who would have given a second thought to security. If you had the URL for any document on its website, you could simply add or subtract one to a number in the URL to access another document.
Given the type of business this company is in, those records include incredibly private information. Krebs spoke with Ben Shoval, who brought the exposure to his attention and who says the documents potentially included “Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”
As of today, the company has closed the hole in its website security. Right now, we can’t know whether anybody actually took advantage of this vulnerability. Contrary to how these sorts of data exposure disclosures usually go, First American Financial isn’t even saying that it has no evidence that the records were accessed. In a statement to Krebs, here’s what it said (emphasis below is ours):
First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.
This afternoon, First American provided a second statement to The Verge, adding that it’s hired a third-party forensic firm to find out if anyone might have accessed the records.
On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data. Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.
Therefore, the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.
Lots of private data is actually accessible behind URLs that aren’t password-protected, but are still kept relatively safe because their URLs are complex and unguessable. Google Photos, for example, shares images in this way. But even if you grant that it was good practice for First American Financial to make documents available without a password, it’s still incredibly shortsighted to make those URLs so easy to guess.
Krebs characterizes this data exposure as “truly massive — possibly superlative,” and the number of records and the sensitive information they contained certainly backs that claim up.
We’ve reached out to First American Financial for further comment, but right now it’s unclear what steps people could take to check whether their data was leaked. You can find more information about the exposure at Krebs on Security.
Update, 7:05 PM ET: Added statement from First American and the disclosure that it’s hired an outside forensic firm to investigate.