Bugs

First American Financial Corp.’s website left hundreds of millions of customer documents exposed

May 25, 2019, 4:55PM EDT

First American Financial Corp., a Fortune 500 real estate title insurance firm, exposed hundreds of millions of its customer's documents, according to a report by Krebs on Security. These documents were related to mortgage deals that First American Financial Corp. has engaged with, leading back to as far as 2003. Information including bank account numbers, statements, mortgages, and tax records, Social Security numbers, were exposed to anyone with a web browser.

According to Krebs on Security, anyone who knew the URL for a valid document on First American Financial Corp.'s website could view the document "just by modifying a single digit in the link." After First American Financial Corp. was informed of this exposure, the firm disabled the portion of its site that served those recommends. 

A representative for First American Financial Corp. told Krebs on Security that "First American has learned of a design defect in an application that made possible unauthorized access to customer data," and that "The company took immediate action to address the situation and shut down external access to the application."