A data leak at First American, the largest real estate title insurance company in the United States, has exposed the transaction records of about 900 million customers.
Brian Krebs of KrebsOnSecurity broke the story, reporting that the documents involve mortgage deals and date back 16 years to 2003. Krebs reported that the leaked documents include bank account numbers and transaction records, Social Security numbers, driver’s license images, tax records and more.
According to a separate report, the leak was discovered by real estate developer Ben Shoval of the state of Washington. Shoval noticed that simply raising or lowering a single digit in the document URL sent to him loaded sensitive documents belonging to other people.
"The document dates at the URLs with numbers most closely matched to Shoval’s original link were also closely matched to the date of his personal documents, indicating that First American was not only allowing global access to anyone with the right URL but also issuing new URLs with sequential numbers. At least 885 million of these records were available during the vulnerability window," the report said.
Krebs On Security also noted that the available documents dated back to 2003, and new documents were being generated until May 24. The company has since disabled the leaky URLs and said that it will not comment until an internal review is completed.