Brian Krebs has revealed that a company that works primarily in real estate insurance has left up to 885 million records exposed on its website, dating back to 2003. The big mistake of First American Financial Corp should have been obvious to anyone who I would have done that. given a second thought to security. If you had the URL of any document on your website, you could simply add or subtract one to a number in the URL to access another document.
Given the type of business in which this company is located, those records include incredibly private information. Krebs spoke with Ben Shoval, who called his attention and said the documents could include "Social Security numbers, driver's licenses, account statements and even internal corporate documents if it's a small business."
As of Today, the company has closed the hole in the security of its website. At this time, we can not know if someone really took advantage of this vulnerability. Contrary to what happens with this type of disclosure of data exposure, First American Financial does not even say that it has no evidence that records have been accessed. In a statement to Krebs, this is what he said (emphasis below is ours):
First American has discovered a design flaw in an application that made unauthorized access to customer data possible. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information. The company took immediate steps to address the situation and closed external access to the application. We are currently evaluating what effect, if any, this had on the security of client information. We will not have further comments until our internal review is complete .
A large amount of private data can be accessed behind URLs that are not password protected, but still remain relatively secure because their URLs are complex and indisputable. Google Photos, for example, shares images in this way. But even if you consider it a good practice for First American Financial to make documents available without a password, it's incredibly short-sighted to make those URLs so easy to guess.
Krebs characterizes this exposure of data as "Truly massive – possibly superlative", and the amount of records and the confidential information they contain certainly support that claim.
We contacted First American Financial to make more comments, but at this moment it is not clear what steps people could take to verify if their data was leaked. You can find more information about the exhibition at Krebs on Security .