A security flaw in the website of First American Financial Corp., the large real estate title insurance firm, has exposed over 885 million private and confidential customer records dating back to 2003.

Discovered by a real estate developer who contacted KrebsOnSecurity, the data exposure outlined on the site Friday related to how documents stored by First American on their website could be accessed. Using a link generated by a search, anyone could change the number in the search to bring up other documents, all of which were not secured.

Those documents are staggering not only in their number but in the range of personal details they included. Those details included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers and photos of driver’s licenses.

The exposed data was quickly taken down and First American admitted to the security breach, describing it as a “design defect in an application that made possible unauthorized access to customer data.” The company did not say whether the data had or hadn’t been accessed by nefarious actors, noting only that it had hired an outside forensic firm to find out whether data had been stolen.

Jon Bottarini, hacker and lead federal technical programs manager at security testing firm HackerOne Inc., told SiliconANGLE that the data breach related to an Insecure Direct Object Reference vulnerability because “the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number.”

“Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time,” Bottarini said. “What’s interesting is that since a large majority of lenders use First American, it is highly possible that some of the recent scams regarding escrow fraud could be related to this breach in particular.”

Bottarini explained that escrow fraud works by depending on both naiveté and speed, since it relies on fake email accounts to execute the scam. “Fraudsters do this by hacking into a title company’s system to retrieve emails and information about upcoming home purchases,” he said. “If a scammer had access and decided to exploit this vulnerability, in particular, it would save a ton of time and effort and make this scam very easy to pull off because they would have all the personal identifiable information necessary without having to hack into each individual title company.”

Marten Mickos, HackerOne’s chief executive officer, noted that the developer who provided the details to KrebsOnSecurity did so only after reaching out to First American with no success. That, he added, should be a lesson for other companies: “It’s important for companies, especially those dealing with mounds of sensitive personal data, to have a public-facing way to report bugs and vulnerabilities.”

Photo: firstam/Flickr