July 11, 2022

Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.

Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.

An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.

“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”

Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise.

“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”

Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.

Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).

But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.

“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.

Upon completing the sign-up, Rishi noticed that his credit was unfrozen.

Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.

“Experian now sometimes does require MFA for me if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.

“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”

In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

ANALYSIS

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.

Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).

KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.

The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.

“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”

Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.

“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”

And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.

“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.

More greatest hits from Experian:

2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Update, 10:32 a.m.: Updated the story to clarify that while Experian does sometimes ask users to enter a one-time code sent via SMS to the number on file, there does not appear to be any option to enable this on all logins.


159 thoughts on “Experian, You Have Some Explaining to Do

  1. Terrell

    Experian needs to do better that isn’t right, that’s people personal information that doesn’t need to exposed seriously.

  2. Dan Rictum

    My daddy says the Credit companies are our friends. My daddy says only cheap whores complain like you all. My daddy says that my daddy says alot.

  3. Kimiad B.

    The whole credit reporting agency thing has completely outlived its usefulness. The system is designed to encourage a lifetime lived in a permanent state of debt (I’m sure the credit card companies just love it!), as well as hosting a money grab on their own behalf by selling unneeded services. Even if you only buy what you can pay cash for and own your home, you still have to deal with these clowns to prevent account theft such as reported in this article from happening. The whole system of allowing companies to spy on your personal life and finances and pass judgement on your worthiness to buy a freaking car or rent an apartment or get insurance seems utterly ridiculous to me. But here we are, people.

    1. Cancel all debts

      The reporting agencies are a symptom of the problem. getting rid of just the CRAs will do nothing, and probably make it much worse.
      If you want to live in a society without credit or debt, you will have to buy an island somewhere and start a new country. As it stands, every existing nation on this planet requires a system of debt and credit.

      1. Charles Costarella

        The fact that the US needs a system of debt and credit doesn’t mean it has to be the system we have now. For decades, in the development of the nation’s economy, we functioned just as well, some would say better, without the Credit Agencies. The problem was, when consumer debt became the norm (my father never had a credit card, we were a middle class family with a house, pool, 2 cars, etc), the business process wasn’t scaling up fast enough, thus the CPA’s. But that’s just a solution of opportunity and now, greed. Something better could be devised.

        1. Something better something worse

          Of course the system is not perfect and there has to be a betterway.

          But let’s not get nostalgic about the past before credit reporting agencies.
          Lenders still had to assess risk and pass judgment on creditworthiness. Back then they simply asked for more collateral.
          The loan officers were also given wider discretion to determine if someone was “economically viable” based on more arbitrary info. Redlining and overt racism plagued the lending industry.
          The CRAs were born out of legislation because the previous way was NOT WORKING fairly for everyone.

  4. Bill W.

    The *intentional* sloppy security on the free account is probably meant to incentivize people to sign up for the paid monitoring. Notice one of the victims in the story, once he signed up for the paid service, now gets 2FA when logging in from a different browser or VPN.

    The fix is simple:
    1) When someone tries to create an account and an account already exists for the credit file: “Sorry an account is already associated, use the password reset function for the existing account”.
    2) For the scenario when a fraudster might have created the account before the legit user had a chance to, give them a number to call for a customer service rep, to get control of the account.
    3) *NEVER* allow re-creation of an account when one already exists for the credit file.
    4) Allow user to turn on 2FA for all logins

  5. Barbara

    My personal information is on the dark web because of a data breach at Equifax that affected approximately147 million people (https://www.equifaxbreachsettlement.com/) Experian credit monitoring was part of the settlement I and other victims received. Transunion credit reports are full of errors, including false information that’s impossible to remove. After reading this article, it’s clear to me that none of the three Consumer Reporting Agencies are reliable or trustworthy. Consumers beware!

  6. Mill

    Does it make any difference if you use an email address as the username or a non-email username to create the account?

  7. Blanche Dubois

    This Experian expose is devastating news and a complete violation of citizen trust.
    The trust that if the citizen followed the FCRA law and regulations, he could rely on the CRAs to defend his critical data and CR, which after all, are the CRAs only product to sell to lenders, marketers, and algorithm developers.
    Thanks Brian for confirming my 8 months of suspicions re. online CRA registration and access, now confirmed for Experian.
    Recent responses to me from the other 2 major CRAs about how they defend me from a data thug with all my breached critical identifiers (& 20 years of collected daily life data), have not raised my confidence.
    This “backdoor hole” via the CRA’s online access portal to my SecFrz is available at every CRA, dependent only on that CRA’s vetting protocol to screen out the data thugs.
    Experian appears to have little to none.
    There are now 100+ Scores out there, determining your access to services, and more coming every day. All dependent on the accuracy of your CR, and its compromise.
    Anyone who uses the CRAs’ online access to their CR, AFCR, SecFrz, etc., likely has not read the “weak security” warnings about SMS comms from: NIST (2016); numerous FBI warnings since; and NSA’s 29Jy2021 warning.
    For that reason and prior CRA breaches, I have refused online registration and continued with the mail and telephone protocols since 2006, with excellent results. If I want a temporary SecFrz “lift”, I’ve got it within 15 minutes.
    What I need now from the CRAs is a permanent, total block from anyone (me or a data thug) from EVER registering as me online at any CRA website.
    Since I would then be protecting the CRA’s prime revenue asset (my critical data), and the data thug’s use of it to defraud US lenders and Merchants, that block should be without cost to me.
    For those who do use CRA online access, I wish you much good luck.
    Given the CRAs’ demonstrated attitudes towards Consumers, your “temporary convenience” is likely at the cost of your eventual compromise.
    The regulator of the CRAs is the FTC (read the FCRA law); it and Congress are the only legal solution to these demonstrated, repetitive, CRA behavior problems.
    Electronic commerce is, and has been, untrustworthy for decades.

    1. nick

      how do you figure that that blocks a fraudster’s ability to use your data to set up a fraudulent account? That is the problem, there seems to be no way to do that.
      are you indicating that since you HAVE no account set up, that the fraudster then can’t set up another one?
      just trying to figure this out.
      thanks

  8. jeff c

    As some others have mentioned above, there is no ‘other choice’ here. You do not have to pay for extra Experian services, true, but there is no way, as far as I know, to avoid having your credit monitored by any of the 3 credit bureaus in the USA. Maybe if you had no SS# and lived off the grid? This should be mentioned in the article. You can’t vote directly with your own individual pocketbook, away from Experian, really.

    1. Not your data

      Right, choice is an illusion. But then again, you aren’t a customer. CRA’s work for lenders. And lenders have the choice.
      Lenders are the ones who collect the data about financial transactions and credit worthiness, and share that data with 3rd party CRAs like Experian, so other potential lenders can be aware of your credit worthiness.
      If you think about the reverse situation… could a company demand that it’s customers not share reviews with other potential customers on 3rd party sites like Yelp? Could they sue because you revealed some of their transaction history?
      I know we think of it as our personal data. But it’s data “about” us, created by lenders for lenders.

  9. Angela

    Just checked all three places.
    TransUnion, no issues logging back in after 5 years, account still there, same password, 2FA via email still works. Credit Freeze still in place.
    Equifax, last set password got reset sometime over the past 5 years, had to go through reset process and answer KBA questions, account was still there, no 2FA available. Credit Freeze still in place.
    Experian, 5 years ago it was a different system without a persistent account (just PINs). They since established a new system that I needed to sign up for. Answered the KBA questions, set up phone as 2FA. New account with Experian already had Credit Freeze in place.
    Years back it seems you didn’t even need an account to freeze your credit (only if you wanted premium services). Credit Freeze/Thaw actions were not based on logging in with a username/password, but rather single actions authenticated with SSN/PIN. They since updated. I guess they could not tell me since I didn’t have an email or phone number on file.

    Everything seems to be in order for me. I only comment here because if only people with problems will comment, readers will think that everyone has a problem.

    1. BrianKrebs Post author

      So this story was about the experiences of three people who already had Experian accounts even after Experian effectively made everyone re-sign up because they did away with the freeze PIN. The point is, there does not appear to be anything that would prevent someone from signing up as you yet again at Experian.

      1. Angela

        I understand. Just sharing my experience.
        There seems to be a persistent problem, as anyone who can answer basic KBA questions can take over regardless of planting your flag or 2FA.
        From the perspective a person who forgets their PIN, Password, changes their phone or email, how should they be authenticated?

        1. an_n

          That is the 64 Trillion dollar question isn’t it. No one has the best possible solution.

          1. Klaus Neumayer

            >How should they be authenticated?No one hast the best possible solution<
            CRA's should have to pay steep penalty if they approve a credit in your name without being able to prove in court that it was requested by you (in addition to paying for any damages). This would result in CRA's finding a solution to authenticate you properly pretty damn quick.

            E.g. by setting up a network of trusted agents (their own offices, partnering with banks, lobbying for some authentication service by the local councils, …) and require you to show up in person at one of those agents to show some kind of ID that can be checked offline (driver's license, passport, …).

            Not even offering 2FA should result in them paying a fine big enough to drive them out of business.
            I assume the have enough money for lobbying to prevent anything like this to actually happen.

            1. JamminJ

              Interesting ideas.
              First off, CRAs do not actually lend credit themselves. They are essentially data brokers that lenders use to track credit.
              So it’s the lenders who should be held responsible for lending money to fraudsters and thereby ruining your credit.

              It would be great for security to require in-person visits. Of course, this will be met with immediate backlash as people want convenience over security. Just look at what’s happening with the IRS and ID me. They finally started fighting fraud with good security measures and strict enrollment, and everybody lost their minds. People don’t want to show up in person with their id, they don’t even want to use video chat.

                1. JfakenamethiefJ (self.agree@agree.self.com)

                  You’re getting tediously obvious JJ

                  1. JamminJ

                    The point was to be obvious 🙂
                    Obvious that I know it’s you, mealy.
                    So every time you cyber stalk my comments with trolling, no actual argument or point being made, just you complaining that I comment too much… There will be another comment, a reflection.

                    The more you cyber stalk me, the more attention you bring my original post/reply, the more people will see it. Having the opposite effect of your objective to silence/censor me. 😛

                    So if you really don’t like seeing my comments, don’t read them. And certainly don’t reply, because that will make it so much worse as the duplicate/reflected replies will cause other readers to see a long thread of vague and confusing agree/disagree comments. Then they will scroll up and read the last comments with actual argument, mine.
                    Your spam give my comments free exposure. Thanks for all the fish 😉

              1. Kenneth Darci

                I would be fine showing up in person with my ID.

        2. Eto

          There’s got to be a better way than public knowledge questions.

      2. Vikki Beears

        I believe they fixed the issue. What happened in the article happened to me. Among the things I tried, since I could not get them on the phone, was to just try to set an account up again from scratch. It would not let me do it since my SSN was already in the system.

  10. Lindy

    I get really upset that these Credit Bureaus are making a fortune on OUR information that we never authorized them to take…. and then they share it with anyone who creates an account as a business. Perhaps a tad more regulation needs to happen on these companies.
    An the kicker is the government got involved with ID.me and now the there is an investigation. I smelled a rat from the first moment I heard about what they were collecting. Wouldn’t go near it.
    It pays to be an internet paranoid noob.

  11. PAM

    I realized this happened to me today. Does anyone have info on who I can contact (law firm?) to represent me in finding out what actually happened?

    Not OK…..

  12. Charles Costarella

    Aren’t there already laws on the books dealing with this kind of malpractice and mishandling on the CPA’s part?

  13. TJ

    According to my password manager, I last accessed and changed my Experian account password on 2021-09-25 00:54:46. I just attempted to sign in and also received invalid password. In an attempt to reset it, it was unable to contact me for the 2FA telephone call and asked me to call them. I opted to use my security question and PIN which worked and prompted me to reset my password. After *successfully* resetting my password, I was still unable to log in due to invalid password. I attempted to reset my password for a second time and now it’s telling me it is unable to locate an account with my email address. Fantastic.

    1. Ron

      I’m hitting the same issue. I was looking at temporarily thawing my credit and I think I accidentally got myself into this situation as I apparently I didn’t have my creds stored in my Password Manager, so I guess, and then figured maybe I didn’t setup an account to place a freeze.. so I created a new one but now it seems things are sort of hung in a mix.. one minute it thinks the account name is good, next area it doesn’t exist, and in looking I think things are.. mixed?.. between two of my email addresses. Their phone support is about worthless and I’m stuck in a “I can’t do anything that looks at this credit bureau for any reason” state it seems

  14. Moo Moo

    Purple Cow run asylum, Natasha.
    Boris you are genius!

  15. George

    I can relate to this story TOO WELL. The exact same thing happened to my Experian account. I was able to speak with a support rep and after *I* had to do extensive verification, they reset my email address back to mine which allowed me to revert all of the changes to USERNAME, ADDRESS, SECURITY QUESTION, PIN CODE, MONITORING PLAN TYPE, CREDIT CARD.

    It’s mind boggling how they don’t have 2FA! Also, they are VERY reluctant to investigate how this happened. I use a password manager and never use the same password on more than a single site. My passwords are strong.

    1. Not a bot

      You notified only their twitter bot account. No way that info got to anyone.
      But also, Knowledge based Authentication is a known issue across the industry.

  16. Louise

    Okay you rt’d about equifax. Equifax, Experian – I get them confused. So, this hack nothing to do with Equifax . . .

Comments are closed.