About 885 million documents, including bank account numbers, mortgage records, Social Security numbers, drivers’ license images and tax records, have been leaked by First American Financial Corp.’s website.’
Anyone with a web browser and a URL for a legitimate document could access the real estate title company’s records, according to a report by KrebsOnSecurity, which noted many of the documents related to wire transactions involving property buyers and sellers.
“At first glance it appears that this vulnerability is an insecure direct object reference (IDOR) because the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number,” said Jon Bottarini, hacker and lead federal technical programs manager at HackerOne. “Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time.”
The impact of the exposure is unknown. “It should be noted that while the vulnerability in the system has been confirmed, it’s unclear that it was exploited by malicious individuals. In that respect, it is difficult to assess the full impact at this moment,” said Hardik Modi, senior director of threat intelligence at NetScout. “I would expect that an investigation of logs should reveal whether there was actual malicious access of records at any scale.”
But Bottarini noted “that since a large majority of lenders use First American, it is highly possible that some of the recent scams regarding escrow fraud could be related to this breach in particular.”
Successful escrow fraud plays on both “naivité and speed as it relies on fake email accounts to execute the scam,” he said. “If a scammer had access and decided to exploit this vulnerability in particular, it would save a ton of time and effort and make this scam very easy to pull off because they would have all the Personal Identifiable Information (PII) necessary without having to hack into each individual title company.” Arrmed with that information, the fraudster can easily “spoof the title company’s site and send instructions to the end user to wire money needed to close on a property, usually to the fraudster’s account.”
The First American incident is just the latest in a string of examples of how many of the legacy systems that underlie our society are inherently flawed,” said Ernesto DiGiambattista, founder and CEO, ZeroNorth. “We know the company exposed hundreds of millions of records that date back 16 years, but we don’t yet know how long they had been exposed.”
Since threat actors “continue to exploit vulnerabilities that may have existed for months or years, and as business and economies are increasingly driven by technology,” DiGiambattista said, “the threat of legacy systems becomes more severe.”