First American Financial Corporation exposed millions of mortgage documents

• Ben Shoval uncovered a website ‘firstam.com’, which is a part of First American’s website that was leaking millions of sensitive records.
• The exposed documents included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The website of First American Financial Corp exposed hundreds of millions of sensitive documents online including mortgage data.

What happened?

A real estate developer in Washington state, Ben Shoval notified KrebsOnSecurity about firstam.com, a part of First American’s website that was leaking millions of sensitive records.

According to Shoval, anyone who knew the URL for a valid document at the firstam.com website could view other documents by simply modifying a single digit in the link.

The real estate developer also shared a document link which he had received from First American in a recent transaction. The link referenced a 9 digit long record number that was dated April 2019. By modifying the document number in the link by numbers yielded other peoples’ records.

KrebsOnSecurity verified Shoval’s findings and confirmed that the website has exposed approximately 885 million files, the earliest dating back more than 16 years.

What data was exposed?

• The exposed documents included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
• The exposed records also included wire transactions with bank account numbers and other information from home or property buyers and sellers.

What actions are being taken?

• First American took down the site that served the records and disabled external access to the application.
• The financial services company is currently conducting an internal review to determine the impact of the incident.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information, a spokesperson for First American said.