Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Data Protection

First American Financial Exposed Millions of Sensitive Documents

The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.

The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.

According to its Wikipedia page, First American Financial is “a leading provider of title insurance and settlement services to the real estate and mortgage industries.”

Krebs learned from Ben Shoval, a real estate developer in Washington state, that a section of First American’s website,, had been storing hundreds of millions of title insurance records without proper protection.

The exposed documents contained social security numbers, bank account numbers and statements, driver’s licenses, tax and mortgage records, and wire transaction receipts.

This was the result of an insecure direct object reference (IDOR) vulnerability that allowed anyone to access all the documents stored by First American on this section of its site by modifying the value of a parameter in a link pointing to a valid document. For example, if a document is stored at, changing the URL to fetches a different document.

Shoval had been having trouble contacting First American when he reached out to Krebs. Their investigation revealed that the company had been exposing roughly 885 million files. The files — the earliest dated 2003 — were apparently online from at least March 2017 until May 25, 2019.

It’s unclear if any unauthorized users accessed the files during this time, but the exposed information could have been highly useful to scammers.

First American has shut down its website in response to the incident and has launched an investigation. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said.

Advertisement. Scroll to continue reading.

Dave Farrow, Senior Director of Information Security at Barracuda Networks, described the IDOR flaw as a “very common programming mistake.”

“The result in this case is a trove of very sensitive information that can be used to fuel the next stage of an attack in the form of identity theft, spear phishing or Business Email Compromise (BEC),” Farrow said via email.

“It seems likely that breaches like this will to continue to happen,” Farrow added. “While we must continue improving the security of our applications and systems, that is just the first line of defense. This defense is only as strong as the weakest vendor we share our data with. Or the strongest partner they share our data with. One vendor could be doing a perfect job protecting our privacy. But that doesn’t necessarily stop another vendor from losing the same information that they’re both trying to protect.

“We must implement defense in depth. One line of defense includes reviewing how a malicious person in possession of leaked information may attempt to use it against us or our customers. Account takeovers, wire transfer fraud, and identify theft all come to mind. There appears to be no shortage of creative ways that someone can defraud their fellows these days,” he warned.

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Reservation Systems Used by Many Hotels Expose User Data

Related: Canadian Telecom Firm Freedom Mobile Exposed Customer Details

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights