First American Financial exposed 16 years’ worth of personal and financial documents

The US real-estate insurance biz, First American Financial, accidentally leaked customers’ highly personal files online, hundreds of millions of documents.

The US real-estate insurance company First American Financial Corp. accidentally leaked hundreds of millions of documents. The company has more than 18,000 employees and brought in more than $5.7 billion in 2018.

Roughly 885 million insurance-related documents were leaked online, including details of wire transfers, and property records.

The documents date back to 2003 and include bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The news was first reported by the popular investigator Brian Krebs who was informed of the leak by the real-estate developer Ben Shoval.

“Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site ( was leaking tens if not hundreds of millions of records.” reads a blog post published by Brian Krebs, “He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”

Shoval discovered that the documents were exposed online through the company website, anyone who knew the URL for one of the documents could view it, and by just by modifying a single digit in the link could view other files.

The developer shared its discovery with Krebs after attempting to notify the data leak to the company without success.

At the time of writing, First American Financial has updated its website and secured the documents.

“We are currently evaluating what effect, if any, this had on the security of customer information,” a spokesperson said. “We will have no further comment until our internal review is completed.”

The company confirmed that on May 24, 2019, it learned of a design flaw in one of its production applications that made possible unauthorized access to the huge trove of data.

It is not clear how long the documents remained exposed online, but querying the website it is possible to verify that documents were available from at least March 2017.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.” reads a statement sent by the company to Krebs. “The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

First American Financial is still investigating the incident and hired a forensics firm to help it.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase