Financial Data Of Nearly 900 Million Customers Has Been Leaked

Recently on his own blog krebsonsecurity.com, Brian Krebs has publicized his discovery about the vulnerability of First American website, which may affect millions of its customers. Ben Shoval, a real estate developer first found out the problem, then contacted KrebsOnSecurity for more details.

Data Is Freely Available On Site

First American is a leading provider of title insurance and settlement services, which acts as the only neutral party between mortgage suppliers and customers. In a document link sent to Shoval, the company gave him a record number with nine digits, dated April 2019. Suddenly changing the last few digits, Shoval received the record of other people, which indicated that record numbers were sequentially made.

Krebs then confirmed the findings, adding that there were millions of files having been leaked. The earliest documents dated back to 2003, or 16 years ago. Anyone with the URL could access the files without any authentication requirement, or other encryption. It is still unclear when the site was made public, but the documents might be available since 2017, according to statistics from archive.org.

First American has closed its site for investigation and prevention.

Damages And Threats

Krebs said that exactly 885 million documents have been exposed on the First American website. The data included personal information of both buyers and sellers, account statements and internal corporate documents. There are even reports for upcoming real estate closings.

Although First American immediately took action to protect customers data, the carelessness of the company might have made it a virtual goldmine for BEC scams. Business Email Compromise, short for BEC, is considered the most highly priced form of a cyber attack. These scammers usually impersonate parties such as real estate agents or insurance companies to rip off customers money. Database exposing on First American website would also give them information about upcoming financial transactions.

Both agents and buyers may get damaged when their names, email addresses and phone numbers were all publicly known. However, handling the bugs is not too difficult, according to Krebs. There have been a lot of similar cases in the past that issues were successfully fixed and preventable.