This Week in Data Breaches: 885 Million Financial Documents Exposed by First American

From 885 million mortgage documents exposed by First American in a massive data leak to a breach at Stack Overflow, here we round up the latest in data security and privacy news.

885 Million Financial Documents Exposed by First American in Massive Data Leak

Real estate and title insurance giant First American leaked hundreds of millions of mortgage related financial documents that date back as far as 2003. The documents included bank statements, bank account numbers, tax records, Social Security numbers, wire transactions, drivers licenses, and more. In total, 885 million documents were exposed on its website, available for anyone to access with a web browser. Providing a massive treasure trove of data to fraudsters and putting millions of home buyers and sellers at heightened risk for a wide-range of identity fraud.

First American is a Fortune 500 company with over 18,000 employees, and is one of the most-widely used companies for title insurance and mortgage closings. When closing on a home, both buyers and sellers present reams of legal and financial documents that are then collected by a title insurance and closing agency. These documents include nearly every bit of private, sensitive information that one can provide. If leaked or stolen, these documents expose all of the keys to your identity and financial life in one fell swoop.

In a statement, the company said, “First American has learned of a design defect in an application that made possible unauthorized access to customer data…We are currently evaluating what effect, if any, this had on the security of customer information.” Brian Krebs, the security researcher who was the first alerted to the leak, said, “The information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters.”

Google Stored G-Suite Passwords in Plaintext

Following on the heels of revelations that Facebook stored hundreds of millions of user passwords unencrypted for years, Google announced last week that it too had stored passwords unprotected in plain text. In a statement, Google said that a small percentage of G-Suite users, including business and corporate accounts, were affected by a bug in a password recovery feature for administrators that left passwords unencrypted in the admin panel.

Normally, Google stores passwords as cryptographic hashes so that the company doesn’t actually know users’ passwords, but, as a result of the bug, some passwords were stored in plaintext and accessible by Google employees. The bug was in existence since 2005, meaning that an unknown number of passwords were being stored in plaintext over the course of 14 years, since the inception of “Google for Work.”

In a blog post, Google said that it is “working with enterprise administrators to ensure that their users reset their passwords” and that in the course of its investigation found “no evidence of improper access to or misuse of the affected G Suite credentials.” However, while troubleshooting G-Suite customer sign-up flows, it also found another bug, which was inadvertently introduced in January 2019, that stored unhashed passwords for new G-Suite customers for up to 14 days before being purged. That issue has also been fixed.

While Google has auto-reset all affected passwords, it is recommended that G-Suite administrators enable two-factor authentication company wide. If you have a G-Suite account, make sure to turn on two-factor authentication if you haven’t already.

Stack Overflow Data Breach

Stack Overflow, a question and answer site for developers, acknowledged that user data was accessed by hackers in a data breach on May 5 “when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier as well as escalate their access on the production version of stackoverflow.com,” according to Mary Ferguson, Stack Overflow’s vice president of engineering.

The company said that it “identified privileged web requests that the attacker made that could have returned IP address, names, and emails” for some of its public network users. No evidence was discovered that Stack Overflow’s teams, business, and enterprise customers were affected. According to the company, the breach was “quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion.”

Stack Overflow is just the latest in a string of high profile data breaches, from Marriott's exposure of 500 million guest records to the massive data breach at Equifax that left more than 147 million Americans at increased risk of identity theft. More than 2.6 billion records were leaked or stolen in over 1,200 data breaches in 2018 alone, leading to $14.7 billion in losses due to identity fraud. Now, more than ever, it is vital that consumers take back control of their data and take the steps necessary to protect themselves online.

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secured identity, sign-up for data breach alerts with Radar, and browse the latest credit offers in the Marketplace!