Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.
John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.
Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.
An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.
“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”
Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise.
“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”
Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.
Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).
But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.
“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.
Upon completing the sign-up, Rishi noticed that his credit was unfrozen.
Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.
“Experian now sometimes does require MFA for me if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.
“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”
In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.
“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”
“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”
ANALYSIS
KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”
After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.
How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.
Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).
KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.
The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.
In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.
A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.
Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.
“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.
“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”
And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.
“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.
More greatest hits from Experian:
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service
Update, 10:32 a.m.: Updated the story to clarify that while Experian does sometimes ask users to enter a one-time code sent via SMS to the number on file, there does not appear to be any option to enable this on all logins.
After reading this I began checking all three reporting companies. Transunion isn’t much better. When you create a password you are confined to 8-15 characters. 15??? Are you effing kidding me?
Experian gave me 8 to 35 characters. I used 34 via a password manager. No 2fa options. The site is terrible. More concerned about selling you services that you should never need. Like to never found the ‘freeze’ option. Kept wanting me to pay monthly to lock. geez. you can’t make this stuff up. Keep up the good work Brian!
This is absolutely garbage business which scams the consumer. The Business is too big to care for the consumer
Answer knowledge-based authentication questions: I use password generator answers such as ,,,, > ns_JArcFolH82lXp < to answer the question
Someone had tried to open an account in his name at JPMorgan Chase…… What a joke. The credit bureaus are for lenders not for consumers. Remember Wells Faargo?
We take consumer privacy and security seriously,,, REALLY! LOL!!!
Please close the Credit Bureaus. This BS must stop… Creditors / Lenders have damaged more families than all the wars of the 20th century
To verify your account, please answer this question: what is your favorite color?
1. Yellow
2. Blue
3. ns_JArcFolH82lXp
Mine asked about the airspeed velocity of an unladen swallow.
I replied “which species?” and they suddenly stopped replying. I don’t know what happened.
African or European?
It’s a dead parrot and an extremely dead joke.
Joke: “I’m not dead yet! I feel happy! I think I’ll go for a walk”
Entire cast of Monty Python: “Ugh, seriously stop. You’re dating us.”
Not the *entire* cast, some of them are dead.
This is really terrifying.
Experian has lately been pushing its for-fee services with lies. I’ve twice gotten emails from them claiming “You filed a claim in the Equifax Data Breach Settlement and chose to receive free, three-bureau (Equifax, Experian, and TransUnion) credit monitoring from Experian for four years. You were sent an email in February that provided additional information about the services provided by Experian as part of the Settlement and how to enroll by June 27, 2022.”
Wrong. I wasn’t interested in their credit monitoring since I’ve frozen my accounts. Instead I submitted an Extended Claims Period Claim https://www.equifaxbreachsettlement.com/file-a-claim to get reimbursed for the time I expended dealing with their breach I’ve yet to get anything from that claim – except offers to pay for more of their shoddy service.
Cybersecurity industry is filled with lot of incompetent cybersecurity leaders with MBAs who have no idea what Security is. Especially Fintech and Healthcare sectors where even decent techies don’t even go.
On a related note, Bruce Schneier have been laughing at these Crypto/Bitcoin kiddies who has lost billions to naive cybersecurity hacks. These companies are again run by CISOs who never programmed.
This exact same thing happened to me on April 16 of this year. At 18:36 CDT on that Saturday, Experian sent an email about the email address change. Sadly, I didn’t see it until after 19:00 CDT when Experian customer support shut down. How are they not 24/7? Luckily, I had both an Experian IdentityWorks account and an Experian CreditWorks account. The CreditWorks was the one taken over. After that I started getting emails from IdentityWorks that hard inquiries where hitting my file. I stayed up all night cold calling credit card companies informing them that those applications were fraudulent. In the morning I was able to get the file locked, but they couldn’t generate KBA questions because someone (thief) had apparently answered wrong too many times and I was locked out. Experian made me wait an additional 72 hours of waiting before letting me answer the KBA questions and get my account back.
Who really needs “three” “major” credit unions and who decided these three?
It seems incredibly arbitrary given this range of seemingly entry level failures.
Someone else mentioned a 15 character pw limit in quantum-hardened times.
I’m just glad I don’t have much to steal on paper.
Write a letter to the CSO (Chief security officer) at you bank(s)
This happened to me recently, only in reverse. I attempted to sign up to the big 3 to freeze my credit due to identity theft. Only I couldn’t sign up for Experian because someone else already had with my SS#. I was able to get them to initiate a reset over the phone. After 72 hours I was able to complete the sign up by answering security questions, including an inaccurate former employer. The problem is that all of these answers are available to anyone with my Experian report, including the hacker. They have no known lockout system. The hacker was active because they immediately unfroze my report online after I’d frozen it over the phone. These people do not deserve to manage this information with their terrible security policies. I hope this results in a class action suit.
This is criminal negligence. Surely the FTC and the CFPB should be informed.
Every time I log in, I almost always have to reset my password as if someone had changed my password without me knowing. There were times I received email saying thank you for contacting Experian when I didn’t and they can determine what triggered the emails. I asked them when a MFA feature will be available and they said there’s no plans. The credit bureaus are unsafe. And they have admitted, as long as someone has your info, they can opem an acct anywhere to get my information.
So they have no incentive to not be sociopathic and protect people from the pain of identity theft?
I’m sure readers here can think of incentives to give them, e.g., not getting tarred and feathered or much worse.
Everybody, what are some incentives we could give Experian to not help crooks steal our identities?
As always, nice work Brian.
It’s a sad commentary that these organizations continue to operate and PROFIT despite these repeated fiascos.
Brian has been insightfully reporting on this topic for a DECADE; yet we still are playing “wack a mile” with these outfits who’s ONLY motive is to profit from the re-selling our personal data.
“… If a little ‘leaks’ here and there … that’s an ‘unusual / one-off situation’ just the ‘cost of doing business’ … “
I’ve been placing fraud alerts on my credit history because Experian won’t let me “plant the flag.” After reading this article my credit history will constantly be in a state of fraud alert as Experian can’t be trusted.
I don’t understand how people aren’t already aware of all three bureaus complete negligence year over year and already have fraud alerts and credit freeze unless actively seeking new credit to momentarily unfreeze. They’ve never been held accountable by any regulators so the only intelligent option is to seek out all options to lock it down, use account alerts, and use credit monitoring. Maybe it’s because I’ve been using credit monitoring and security for nearly a decade but I’m still kind of bewildered how it’s not average knowledge
This could actually cause more problems. My Experian account has been flagged for fraud for years, and I have no clue why. To my knowledge I’ve never been a victim of fraud or identity theft. For most of my adult life I’ve had to put utilities and other things in a friend’s name if they try to verify me with Experian, which comes with its own set of problems. I have no issues with the other two companies, and no issues with my credit in general. I’ve called them and sent them the documents requested to remove the flag, but nothing happens.
I really hate Experian, this company has screwed me and everyone else with their negligence, and there’s nothing I can do about it apparently.
This is criminal incompetence. Experian is aiding and abetting identity theft; it’s as simple as that. What can we do other than flood FTC and CFPB with complaints?
This blatant abuse of personal data, to me, means that it is deliberate. I will be getting rid my account.
Hopefully you realize that does nothing, per the article. If you get rid of your account, the only change would be that you no longer get an alert when someone fraudulently uses your info on Experian. You can’t stop Experian from having your info in the first place, that’s already a done deal, and is reaffirmed any time you pay a bill, apply for a loan, or miss a payment anywhere.
Exactly. There’s no escape.
I am confused:
I did not ask Experion on any other company to build a dosier of my credit & finances. Why should I have to work to defend the security of my data that they hold without my consent?
Why do I need to set up an account with any of these companies?
Unauthorized delving into my finances, should be criminal.
What they are doing is outside of my authorization and should be all of their responsibility / culpability/ liability.
Unfortunately, it is not your data. At least that’s they way they see it. It’s data “about” you. But it’s data generated by lenders, for lenders.
I don’t think we’ve ever lived in a world where someone has to ask you for permission/authorization to create a file on you.
Whenever we borrow money, or engage in any transaction, the lender will always have the right to create a record of that transaction and to communicate that record with other lenders.
The quicker you come to the realization that you are not the customer, the better off you’ll be. Your credit worthiness is not a secret that you can control. Every business that you borrow money or services from, has a right to record and share information that pertains to whether or not you are a dirt bag who doesn’t pay their bills.
You probably did consent. Every read the fine print when filling out a loan application, financing a car, opening a bank account, signing up for a cell phone plan or premium cable, starting service on a utility, getting a mortgage, or even a rental agreement. When they check your credit, it also goes both ways… they also submit data to the credit bureaus.
It’s easy. Just pull your credit report, and for each account listed, just go through your paperwork and read all the fine print. You signed, you agreed.
So I just did a experiment, if you already have a account with Experian, you can make a new account, with a different email, with the social security number and it will override and change the email to that account allowing anyone with a social number to have their account taken over.
Experian recently installed a new administrator dashboard in either Brazil or Argentina (forget which but you can Google it) and left the default login/password as admin/admin. Hackers had access to even Americans info through the company network.
Any company with that poor of security practices shouldnt be legally allowed to store user information. But at least passwords weren’t plaintext like T-Mobiles parent company had them when they got hacked.
I had the $25.99/mo Experian Credit monitoring service that gives you all 3 reports. I just canceled it. No way I’m giving my money to a company this inept with my data. I’ve worked in the business (TransUnion) and I’m in IT with a speciality on security. I can tell you what their basic costs are and about what they all charge each other and the major banks, and I can make a SWAG at what it might cost to properly secure their systems. The level of negligence relative to the cost to fix the problem against what they’re making off our data is light criminal negligence.
If you sign up for credit monitoring, they also offer no unsubscribe button on the emails. They leave this annoying message at the bottom.
“Why am I receiving this email?
This is not a marketing email—you’re receiving this message to notify you of a recent change to your account. If you’ve unsubscribed from Experian CreditWorks℠ Basic emails in the past, don’t worry—you no longer receive newsletters or special offers.”
But no unsubscribe button. There’s also not a way to unsubscribe on the website and if you contact customer support, they aren’t able to unsubscribe you again. It’s infuriating
maintain vigilance always!
But some sites don’t even tell you when someone has hijacked your account – you just have to keep logging in every once in a while and wait until it’s been hijacked. That’s what I’ve been having to do for the last 3 months.
This most recent Experian hack is now apparently also in play at TransUnion. Just a matter of time before reports start popping up on them … and probably eventually Equifax, too. All of these credit bureaus should support MFA – in fact, they should REQUIRE it. It’s insane that they control so much consumer information and can irresponsibly wreak havoc with people’s lives just because of their laziness.
THIS! I have had my Equifax and Experian accounts hijacked 6 times, and dozens of credit card/bank/etc applications opened in my name. One of the sites (Equifax, I think) touts an article about 2FA and yet they don’t offer it. Yes, it should be MANDATORY.
Curiously I haven’t had a problem with my Transunion – yet. At least they forced a “forgot password” instead of handing it over to a hacker.
Since Experian is nominally based in the EU, I’m sure the authorities there would be more than happy to make some suggestions via fines.
Companies like this should not exist in the 21st Century, especially in litigious environments like the USA. But I guess that the downsides are low and so are their security budgets.
I went to log in, and found Experian had no memory of my account done in 2018 to set up a credit freeze. So I had to create a new account. Their info now shows my account is brand new.
Curious, I logged into Transunion and Equifax, and my info with both of them was still valid. Took the time to change usernames and passwords.
Why is Experian still in business?
Just checked all three.
TransUnion, no issues logging back in after 5 years, account still there, same password, 2FA via email still works. Credit Freeze still in place.
Equifax, last set password got reset sometime over the past 5 years, had to go through reset process and answer KBA questions, account was still there, no 2FA available. Credit Freeze still in place.
Experian, 5 years ago it was a different system without a persistent account (just PINs). They since established a new system that I needed to sign up for. Answered the KBA questions, set up phone as 2FA. New account with Experian already had Credit Freeze in place.
Years back it seems you didn’t even need an account to freeze your credit (only if you wanted premium services). Credit Freeze/Thaw actions were *NOT* based on logging in with a username/password, but rather single actions authenticated with SSN/PIN. They since updated. I guess they could not tell me since I didn’t have an email or phone number on file.
Everything seems to be in order for me. I only comment here because if only people with problems will comment, readers will think that everyone has a problem.
I have been going through this for MONTHS. I have a very unique name (one of only 2 in the world) and my SSN was leaked a few months ago. Some guy in Michigan stole my Experian AND Equifax account with this. Yes, both. I don’t know how he did the Equifax account, but he did – twice. He grabs my account (4 times for Experian), unfreezes my credit, and applies for credit cards.
When the inevitable lawsuit comes about, I WANT TO BE PART OF IT.
Most likely, in addition to your SSN, some of your financial history was exposed. Knowledge Based Auth is common with all three major credit reporting agencies.
The fundamental problem is that there must be a way to reset passwords, 2FA, email and phone numbers. Because legit people lose or forget these all the time. So they resort to financial history questions that legit users will always know. The issue with that, is that a diligent thief can find this information mostly in public records. Things like, what company gave you a loan for what, 6 years ago. Multiple choice of course.
More secure ways of identity proofing are a possibility, but the same people who complain about credit bureaus disregard for security also complain about identity proofing services like ID.me being too intrusive, which is the cause of this paradox.
People want strong secure authentication and identity proofing for other people. But they don’t want to go through it themselves.
Would you be okay with an enrollment process that required a phone or video chat interview or an in-person visit?
I registered my experian account on July-11. It needed extra account verification. After lot of time, I got to customer support who then verified my details. I was able to login to my account after that. When I tried to login again on July-12, it started giving me “The username or password you entered is incorrect” error. (Password reset feature does not work as well). When I called their customer service, they said they can’t even see my username in their system at all. They suggested that they can cancel my membership account and I can then try to create a new account. So I asked them to cancel my membership account. When I tried to create a new account as they recommended, it asked for extra account verification again. When I called the customer support again, they said I need to wait for 72 hours to verify my details. The saga is still going on and don’t know if/when it gets resolved. I can’t believe their incompetency and how bad their software is that decided to suddenly not let me login. If anyone found a solution to the problem, could you please add your comment?
Follow up to my earlier comment: I called customer service again after 72 hours on July-16. Customer service representative said there was nothing wrong with my first membership account that was cancelled and made it active again [uncancelled it], but the login problem still persisted though. I gave up my hopes and did not attempt to login for few days. On July-21, when I tried password reset, it worked fine (they sent security pin to my phone). I am able to login now. I am guessing that, there was some database problem with new accounts created last week and they fixed it earlier this week.
I have been dealing with my credit being hacked and my life turned upside down for 2 YEARS! Every time I’ve contacted Experian they told me I didn’t know what I was talking about and that there was no breeches in their security! I’ve had to dispute nearly $100,000 in false credit applications including my bank account being hacked as well! We need a class action lawsuit!
“In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.”
Whatever their security and identity verification practices are, they didn’t stop an identity thief from using my info to create an account with them. With access to my credit report, they called my credit card companies and cancelled two of them. They tried opening other cards and a line of credit to an Indian casino. I ready to join any class action lawsuit to get Experian to improve their systems.
Tell me why they lower your credit rating because you don’t show mortgage charges in your credit history? I paid cash for all 5 houses I bought since 2000. I don’t believe in debt of any kind. I don’t show balances on cards. For my financial habits, my score is lowered. Doesn’t make sense.
I’ve had lots of contact with all three bureaus. Totally useless. They have so many loopholes to jump through to talk to someone, you have forgotten why you called. It’s as bad as calling your cell provider.
Your credit score as a reflection of risk.
How are potential lenders supposed to know that you’ve paid for five houses with cash? They cannot distinguish between a rich person paying cash for everything, and someone who is poor with no assets. A lender would not be wise to lend to someone with no credit history.
For someone who does not believe in debt, then why even care about your credit score?
One reason to still worry about credit score is many states allow insurance companies to include credit score when calculating rates for car insurance and homeowner’s insurance. Slimy, I think, but it’s legal.