Brian Krebs has revealed that a company that works primarily in real estate insurance has left no fewer than 885 million records on its website – dating back to 2003. The big mistake of the First Financial by American Financial should have been clear to anyone who had thought about security a second time. If you had the URL for each document on its website, you can easily add or subtract a URL from a number in the URL to access another document.
Given the type of company in which this company is located, those records contain incredibly personal information. Krebs spoke to Ben Shoval, who drew attention to him and says that the documents potentially include "social security numbers, driver's licenses, account statements, and even internal business documents if you are a small business."
From today, the company has closed the security gap of its website. At the moment, we cannot know if anyone has actually exploited this vulnerability. Unlike how such types of data exposure disclosure usually go, First American Financial does not even say that there is no evidence that the data is accessible. In a statement to Krebs, here's what it said (the emphasis below is ours):
First American has detected a design error in an application that has allowed unauthorized access to customer data. First American, security, privacy and confidentiality have top priority and we want to protect our customers' information. The company took immediate action to address the situation and terminate external access to the application. We are currently evaluating the effect, if any, on the security of customer information. We have no further comments until our internal review is complete.
Many private data are actually accessible behind URLs that are not password protected, but are still kept relatively safe because their URLs are complex and indescribable. Google Photos & # 39; s share images this way. But even if you admit that it was good practice for First American Financial to make documents available without a password, it is still incredibly short-sighted to make those URLs so easy to guess.
Krebs characterizes this data exposure if & # 39; really huge – possibly super convincing & # 39; and the number of records and the sensitive information they contain certainly supports that claim.
We contacted First American Financial for more comments, but it is currently unclear what steps people can take to check if their data has been leaked. You can find more information about the exposure at Krebs on security.