New York (The Verge) — First American Financial left 885 million records exposed via insecure URLs theverge.com/2019/5/24/1863….
Brian Krebs has revealed that a company that primarily works in real estate insurance has left as many as 885 million records exposed on its website — going back to 2003. First American Financial Corp’s big mistake should have been obvious to anybody who would have given a second thought to security. If you had the URL for any document on its website, you could simply add or subtract one to a number in the URL to access another document.
Given the type of business this company is in, those records include incredibly private information. Krebs spoke with Ben Shoval, who brought the exposure to his attention and who says the documents potentially included “Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”
As of today, the company has closed the hole in its website security. Right now, we can’t know whether anybody actually took advantage of this vulnerability. Contrary to how these sorts of data exposure disclosures usually go, First American Financial isn’t even saying that it has no evidence that the records were accessed. — Dieter Bohn/@verge