Although the security breach had been fixed as of Friday, it previously let anyone who had a link to certain documents on First American’s website access additional electronic records simply by changing a single digit in the URL.

A newly discovered design flaw on the website of First American Financial Corp., a massive publicly traded title insurance company, allowed anyone with internet access to view roughly 885 million highly sensitive real estate documents, according to a report out Friday.

The documents included an array of information including Social Security numbers, mortgage and tax records, drivers license images, bank account numbers and other things, according to Brian Krebs, an independent cybersecurity journalist and researcher, via his website Krebs on Security.

Though the security breach had been fixed as of Friday, it previously let anyone who had a link to certain documents on First American’s website access additional electronic records simply by changing a single digit in the URL.

Krebs — a former Washington Post reporter who now runs his eponymous site — wrote that he first learned that the massive trove of documents was freely available after a real estate developer contacted him to say that First American’s website was “leaking tens if not hundreds of millions of records.”

Krebs then confirmed that report and discovered that roughly 885 million documents spanning 16 years were publicly viewable. He wrote that “no authentication was required to read the documents,” some of which were PDF files that detailed upcoming real estate transactions.

Southern California-based First American provides an array of real estate-related services including title insurance for residential, commercial and developer-related transactions. The company also offers mortgage services for lenders, home warranties, trust services, and various other products.

In 2018, First American reported $5.7 billion in revenue. In its most recent earnings report, the publicly traded company described itself as “a leading global provider of title insurance, settlement services and risk solutions for real estate transactions.”

Though the company’s stock rose slightly while markets were open Friday, its share price subsequently fell more than 2 percent in after hours trading as investors reacted to news of the security breach.

Credit: Google

In a statement to Inman Saturday, the company said that it discovered “design defect in one of its production applications that made possible unauthorized access to customer data.”

“Therefore, the company took immediate action to address the situation and shut down external access to the application,” the statement continued. “We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”

In the meantime, Krebs wrote that he did “not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested.”

However, it would not have been difficult for bad actors to get and use the information in the First American documents, and as Krebs points out, that data would be a “virtual gold mine for phishers and scammers.”

The breach also comes amid growing concern over cyber security in the real estate industry. Late last year for example, scammers stole an entire $122,850 downpayment from an Oregon family via a phishing scheme. That same month, the National Association of Realtors reported that its members were the targets of an ongoing email scam.

Additional reports also show that such incidents are not isolated; a report in late 2017 found that escrow scams had grown by $950 million that year, and at the end of 2018 a report revealed that real estate companies had suffered an average of 54 cyber attacks in just the previous quarter alone.

The 2018 report also found that real estate companies are prime targets for cyber attacks in part because they deal with high dollar transactions that often take place online.

Email Jim Dalrymple II

Show Comments Hide Comments


Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription