Home of internet privacy

An unprotected server leaked 24 million sensitive housing documents not once but twice

This post was originally published on February 28, 2019.

If you live in the U.S. and bought a house sometime over the last decade, your information may be at risk. According to TechCrunch, more than 24 million mortgage and banking documents were exposed not once but twice.

The exposed information included mortgage loan agreements, payment schedules, borrowers’ phone numbers, and other sensitive financial data.

The culprit? A single unsecured server. If you think that’s bad, it gets worse: In addition to housing millions of sensitive documents, this server didn’t even include a password.

In other words, this information was available to anyone who had five seconds to open their browser and type in the URL.

Leaving valuables inside with the front door unlocked

The documents in question were stored by Ascension, a third-party data and analytics company. In a public blog post, infosec expert Bob Diachenko, who first discovered the public server, stated that there were more than 24 million records openly available.

The records, which go back more than a decade, housed a whopping 51 GB of OCR (optical character recognition) data. While this type of text is readily readable to the naked eye, it can easily be parsed together to divulge private details.

“This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.,” Diachenko wrote.

The lenders had no idea these documents existed

The exposed server housed tens of thousands of financial documents from a range of different banks and institutions, including Wells Fargo, Capital One, HSBC Life Insurance, CitiFinancial, and more. While the information was somewhat scrambled, it was relatively easy to reconstruct—especially if a person was to use the right tools.

But here’s the kicker: Most of the banks have gone on record saying they have zero affiliation with Ascension. In fact, Wells Fargo went on record stating that it had “no vendor relationship with Ascension since 2010.” HSBC said the same thing.

This means people’s personal housing documents jumped around from different companies, changing hands multiple times—in some cases without the original financial lender even knowing—to eventually land on a website that all but invited strangers in.

Fool me twice, shame on you

The exposure seems like an open and shut case, right? Unfortunately not. A day after the initial report, Diachenko found another unsecure server that housed the same files. This server once again didn’t include a password lock, and even worse, actually listed all the sensitive documents in plain text.

Again, it gets worse. The files were stored on an Amazon S3 storage server, which by default enables password protection. This means the party (or parties) responsible for housing these personal documents voluntarily deactivated the password protection settings.

That’s like keeping all your money under your mattress, physically removing your front door, and then going on a week-long vacation!

It’s worth noting that like the first cache of data, this one also included W-2s and other sensitive financial documents. Unfortunately, there’s also no way to tell how long this information was exposed, or which parties had viewed it.

“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” Diachenko said.

Apparently not.

Steps to help secure your information

While it’s perfectly possible that no harm was done, it never hurts to be prepared. If you live in the U.S. and bought a house in the last decade, you may want to take a few minutes to go over your recent credit reports to see if there are any major changes.

Enabling 2-factor authentication on your various online accounts is also recommended. By setting up a second login method, third parties won’t be able to log into your various accounts—even if they have all of your information.

Additionally, it’s also important to double check any and all email addresses before you open an attachment. With pieces of your personal information at hand, hackers are known to send out malicious emails disguised as a reputable company that often mention specific details (i.e., your username, password, etc.), and then urge the recipient to change (or confirm) their password, open an attachment, and more.

If you don’t know the recipient—or if an email is automatically flagged as suspicious—it’s best to approach with caution.

While this story is still under development, it serves as a cautionary tale to always enable your password and security settings. Because you can’t trust a random company to protect your personal details, it’s up to you to take your privacy into your own hands.