SANTA ANA, Calif. — The exposure of more than 885-million mortgage-related records has been confirmed by First American Financial Corp., a provider of title insurance. The company said it has since fixed a vulnerability in its website that exposed records related to deals going back 16 years.
According to cybersecurity analyst Brian Krebs who first reported the vulnerability on KrebsonSecurity.com, the vulnerability would have allowed anyone to gain access to Social Security numbers, bank account details, driver’s license and mortgage and tax records.
Krebs told the New York Times he learned of the vulnerability in First American’s website after getting tipped off by Ben Shoval, a real estate developer in Washington State. Shoval said he told Krebs after getting little response from the company.
Easy Exploitation
Krebs said he notified First American and waited for the company to fix the flaw before publicizing it.
According to Krebs, all that was needed to exploit the vulnerability was tweaking a single digit in the address of a file reached through the site. No password or other login credentials were required. Most of the 885 million exposed files were wire transactions with bank account numbers, data that First American collects because it is a widely used seller of real estate title insurance, the New York Times said.