Due to the nature of its business, those files include a variety of sensitive information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. Ben Shoval, the real estate developer who discovered the vulnerability and who told Krebs about the issue, also said that small business clients might’ve even given First American access to internal documents.
After Shoval contacted Krebs about the issue earlier this week, the security researcher confirmed that the company’s website was returning documents simply by changing digits in the URL. First American ultimately switched off the part of its website that served those files by around 2PM on May 24th. Krebs clarified however, that he has no information suggesting the exposed files were harvested. It’s also unclear when the vulnerability first showed up, though Krebs discovered that it’s been around since at least March [...]