New York (CNN Business) A leading US real estate and mortgage insurer, First American Financial Corp. , left vulnerable an enormous trove of digital documents, some of which may have contained social security numbers and bank account information.

Bad actors only needed a web address to view the documents as they were left without password protection or other encryption, according to a Friday post from the popular cybersecurity blog Krebs on Security , which is run by journalist Brian Krebs.

The information had been hosted online since at least March 2017, according to the post , and nearly 900 million files may have been exposed, though it is not clear if any were improperly accessed.

Some of the documents included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers' license images, according to the Krebs post.

confirmed in a statement to CNN Business Saturday that "On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data."

"The company took immediate action to address the situation and shut down external access to the application," the statement reads. "We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed."

The company did not confirm how many documents may have been exposed or detail how many customers could have been impacted over what time period.

Krebs said it notified First American of the vulnerability on Friday.

According to the Krebs blog, it was extremely easy to access the documents: if a person knew the URL of one document — say if First American sent you a link to a document involved in your real estate loan — slightly tweaking the last few digits of the web address could take the user directly to another person's sensitive information. The security experts were able to find documents going back to 2003.