First American/YouTube

Financial service company left 885 million private records exposed online

Anyone with a link to a document could change one digit in the URL to view other files.


Mikael Thalen


Published May 25, 2019   Updated May 20, 2021, 11:51 am CDT

A major financial service company left hundreds of millions of private records unsecured online, exposing everything from Social Security numbers to drivers license images.

The records were brought to the attention of Krebs on Security by real estate developer Ben Shoval, who discovered that the website of First American Corporation was not properly protecting the data.

Shoval had found that anyone with a link to a document on the site could simply change a single digit in the URL to view other hosted files.

Analysis from Krebs on Security found that a total of 885 million documents, spanning as far back as 2003, could be accessed. The files included everything from bank account numbers and statements to wire transfer receipts and tax records.

Prior to releasing the story, Krebs on Security founder Brian Krebs described the incident as a “truly massive–possibly superlative–sensitive data exposure.”

After becoming aware of the issue, First American Corporation stated that it had “shut down external access to the application” on Friday.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” the company said in a statement. “At First American, security, privacy, and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”

The company added that it was “evaluating what effect, if any, this had on the security of customer information” and later told the Verge that a third-party forensics group had been hired to determine whether the data was accessed.

The California-based First American Corporation is said to employ more than 18,000 people and bring in billions in profits annually.


H/T Krebs on Security

Share this article
*First Published: May 25, 2019, 3:13 pm CDT