Feedback Friday: Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

First American Financial Exposed Millions of Sensitive Documents

The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.

The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.

According to its Wikipedia page, First American Financial is “a leading provider of title insurance and settlement services to the real estate and mortgage industries.”

Krebs learned from Ben Shoval, a real estate developer in Washington state, that a section of First American’s website,, had been storing hundreds of millions of title insurance records without proper protection.

The exposed documents contained social security numbers, bank account numbers and statements, driver’s licenses, tax and mortgage records, and wire transaction receipts.

This was the result of an insecure direct object reference (IDOR) vulnerability that allowed anyone to access all the documents stored by First American on this section of its site by modifying the value of a parameter in a link pointing to a valid document. For example, if a document is stored at, changing the URL to fetches a different document.

Shoval had been having trouble contacting First American when he reached out to Krebs. Their investigation revealed that the company had been exposing roughly 885 million files. The files — the earliest dated 2003 — were apparently online from at least March 2017 until May 25, 2019.

It’s unclear if any unauthorized users accessed the files during this time, but the exposed information could have been highly useful to scammers.

First American has shut down its website in response to the incident and has launched an investigation. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said.

Dave Farrow, Senior Director of Information Security at Barracuda Networks, described the IDOR flaw as a “very common programming mistake.”

“The result in this case is a trove of very sensitive information that can be used to fuel the next stage of an attack in the form of identity theft, spear phishing or Business Email Compromise (BEC),” Farrow said via email.

“It seems likely that breaches like this will to continue to happen,” Farrow added. “While we must continue improving the security of our applications and systems, that is just the first line of defense. This defense is only as strong as the weakest vendor we share our data with. Or the strongest partner they share our data with. One vendor could be doing a perfect job protecting our privacy. But that doesn’t necessarily stop another vendor from losing the same information that they’re both trying to protect.

“We must implement defense in depth. One line of defense includes reviewing how a malicious person in possession of leaked information may attempt to use it against us or our customers. Account takeovers, wire transfer fraud, and identify theft all come to mind. There appears to be no shortage of creative ways that someone can defraud their fellows these days,” he warned.

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Reservation Systems Used by Many Hotels Expose User Data

Related: Canadian Telecom Firm Freedom Mobile Exposed Customer Details

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.