2 min read

Last week, First American Financial Corporation, a provider of title insurance, leaked hundreds of millions of documents related to mortgage deals dated back to 2003, KrebsOnSecurity reports.

This vulnerability exposed digitized records such as mortgage and tax records, bank account numbers and statements, wire transaction receipts, social security numbers, and drivers license images without authentication. However, the company said that it had disabled the part of its website that served those files around 2 PM ET on Friday, and thereby addressed the vulnerability soon after it was notified by KrebsOnSecurity.

“We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed”, the company said in a statement.


According to KrebsOnSecurity, “Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers.”

Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said, “That’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.”

Shoval even shared a document link given by First American from a recent transaction, which pointed to a record number that was nine digits long and which dated April 2019. Modifying the document number in the link by numbers in either direction would yield other peoples’ records before or after the same date and time.

The earliest document number that was available on the site was 000000075 that pointed a real estate transaction from 2003.

A spokesperson from the First American Financial Corporation shared the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

The information leaked by First American would have been misused by scammers involved in Business Email Compromise (BEC) scams, which would impersonate real estate agents.

To know more about this news, check out the post by KrebsOnSecurity.

Read Next

A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Rust’s recent releases 1.34.0 and 1.34.1 affected from a vulnerability that can cause memory unsafety