Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018. Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he'd had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link. And this would potentially include anyone who's ever been sent a document link via email by First American. KrebsOnSecurity confirmed the real estate developer's findings, which indicate that First American's Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents. "As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings," Krebs adds. "By 2 p.m. ET Friday, the company had disabled the site that served the records. It's not yet clear how long the site remained in its promiscuous state."
A spokesperson for the company issued the following statement: "First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed."
Read more of this story at Slashdot.