An unprotected server leaked 24 million sensitive housing documents not once but twice

If you live in the U.S. and bought a house sometime over the last decade, your information may be at risk. According to TechCrunch, more than 24 million mortgage and banking documents were exposed not once but twice.

The exposed information included mortgage loan agreements, payment schedules, borrowers’ phone numbers, and other sensitive financial data.

The culprit? A single unsecured server. If you think that’s bad, it gets worse: In addition to housing millions of sensitive documents, this server didn’t even include a password.

In other words, this information was available to anyone who had five seconds to open their browser and type in the URL.

Leaving valuables inside with the front door unlocked

The documents in question were stored by Ascension, a third-party data and analytics company. In a public blog post, infosec expert Bob Diachenko, who first discovered the public server, stated that there were more than 24 million records openly available.

The records, which go back more than a decade, housed a whopping 51 GB of OCR (optical character recognition) data. While this type of text is readily readable to the naked eye, it can easily be parsed together to divulge private details.

“This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.,” Diachenko wrote.

The lenders had no idea these documents existed

The exposed server housed tens of thousands of financial documents from a range of different banks and institutions, including Wells Fargo, Capital One, HSBC Life Insurance, CitiFinancial, and more. While the information was somewhat scrambled, it was relatively easy to reconstruct—especially if a person was to use the right tools.

But here’s the kicker: Most of the banks have gone on record saying they have zero affiliation with Ascension. In fact, Wells Fargo went on record stating that it had “no vendor relationship with Ascension since 2010.” HSBC said the samething.

This means people’s personal housing documents jumped around from different companies, changing hands multiple times—in some cases without the original financial lender even knowing—to eventually land on a website that all but invited strangers in.

Fool me twice, shame on you

The exposure seems like an open and shut case, right? Unfortunately not. A day after the initial report, Diachenko found another unsecure server that housed the same files. This server once again didn’t include a password lock, and even worse, actually listed all the sensitive documents in plain text.

Again, it gets worse. The files were stored on an Amazon S3 storage server, which by default enables password protection. This means the party (or parties) responsible for housing these personal documents voluntarily deactivated the password protection settings.

That’s like keeping all your money under your mattress, physically removing your front door, and then going on a week-long vacation!



Leave a Reply