On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.
Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.
When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.
Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).
Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.
“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.
It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.
It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.
After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?
Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.
As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.
If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.
For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.
Such blatant incompetence. It’s painfully obvious that we consumers are absolutely unprotected and abused by for profit companies like Experian, who get the green light to operate as it pleases because there’s no government oversight and no judicial consequence strong enough to terminate their irresponsible enterprise.
So this is the company which was providing “remediation services” to victims of the Equifax breach? Time for federal regulatory intervention for all credit bureaus.
Why or why would we entrust our extremely important information to these for profit companies. This needs to be a government function, in its own dept., probably Home Land Security.
Oh sure I trust the government. And we don’t entrust our extremely important information to these companies. They just take it! Remember we are the product, NOT the customer.
If there were any other options…
Is this why American Express reduced my credit line and sent me a letter telling me my credit score is now 550 ?? Does it even matter any more??
Probably not, we can’t blame these guys for everything. Your credit goes down when you fail to follow through on your financial promises, like paying back a credit card that you racked up. Also check your credit reports at least once a year and see if there’s anything incorrect like a line of credit you didn’t take out or a phone number or previous address that’s incorrect.
It’s clear Experian wants to challenge T-Mobile for the highest number of preventable breaches.
As I wrote to Brian in email it’s said and funny how Experian treated this situation, had a long laugh did not had that in a long time since the War. But the question remains if I had not been persistent and kept knowing and trying to get ahold someone how long this who’d continue and Experian stayed silent.
Thank you Brian for taking time to listen to me and publishing this
It’s really great that you shared this exploit/weakness of Experians site with Brian Krebs. I have some experience working with their compliance staff that left me uneasy they were defensive and quick to threaten legal action. Thanks Jenya Kushnir! Stay safe and please continue your work.
So my brother has become the target of a scam purporting to be from Ukraine. I just thought Id share the domain with you, though I am pretty confident they arent based in Ukraine but trying to use it to catfish. Exqualigistics.com. I only point this out to you in case you run across folks trying to scam people in your country as well as here in the UK. Good luck, stay safe and were all in solidarity with you. F**k the Russians!
An Experian Tale of Shame and Degradation (or, “My Recent Experian Experience”).
On more than one occasion Experian has notified me that my email address was found on the dark web related to a data breach. I’ve called them twice, and both times they refused to say which site was compromised. I can only assume that this is a marketing exercise to entice me into purchasing monitoring services.
Except … I already have three different additional accounts with them relate to past issues – one account each at ProtectMyID, IDnotify, and ExperianIDWorks. These are associated with specific compromises, and funded by the compromised parties. Why I need three additional accounts each with respective passwords is a mystery.
Meanwhile, I went to get a new T-Mobile cellie plan and they wanted my credit report. I had locked it, so tried to get into my formal Experian account (not one of the three monitoring service accounts). I could not access it. Hmmm. I called Experian several times, and was eventually able to pass all the requisite ID verification barriers connected to a representative that blamed the lockout on a “technical glitch.” She gave me the number for engineering – a team which seemingly does not answer their phone for hours on end.
I eventually called once I was sure to have at least an hour clear, and set my phone to speaker-mode so I could do work while I waited. When I finally got an answer, and despite my again passing the ID verification barriers, the technical team representative acknowledge the problem but indicated that he would not be able to fix my issue unless I sent a formal physical mail-with-stamp.
Which is all to say: “Experian Sucks!”
Write to the president of Experian AND your representatives in Congress…or maybe just sue them for incompetence?
Yes, you can write letters to our Congress. Of course you’ll promptly be visited by the FBI as an domestic terrorist for messing with the get rich quick, at the expense of the American public, financial system of Corporate America. How dare you attack these wonderful Credit Reporting agencies!
Now let me go search my closets to see if I have any Top Secret documents misplaced there. I hate when that happens, since I’ve never worked in the Gov’t but that’s neither here nor there. But since I’m a registered Democrap, nothing will come of it anyway, thanks goodness.
You’re a demonstrated idiot regardless of your political persuasion. This is not the place for it.
Yeah “Democrap Joe.” This is not the place for comments like that. Go to Yahoo or Reddit for your Big Man Syndrome issues.
This is an IT forum keep it that way.
I suspect sizable contributions are made to politicians for the “privilege” of operating as they do.
This will not stop until executives are jailed, which will never happen.
We pay the price.
Why doesn’t the government oversee the Credit Bureaus like they do Credit Cards and the banking industry? Received my settlement from the Equifax security breach, $5.42. Tells you how much they care about protecting my information, seems their only concern is about providing information to other companies to make as much money as possible. Credit Bureaus are a necessary evil. When will the government begin to regulate them properly?
See Jeff’s post above yours.
Cause capitalism. Minimal government intervention. Freedom of market, yada yada .They don’t care. Their profit calculations already incurs liability law suits.
It is becoming obvious lately the massive breaches and lack of transparency.
The scary part is they claim when the breach started. Do they? What guarantee they can give that no one was already lurking around?
No company takes cybersecurity seriously, unless it is to protect their IP (if they even bother to do it).
No regulation will come. The USA is the country where the DMV can sell your data to companies AND persons.
This is so sad to look at the Cybersecurity incompetency all across the industry especially in Fintech and Healthcare space where techie talents from Google alike are not attracted at all. Especially, look at their CISO and other security executive profiles. MBAs, Arts, Mechanical Engineering…. without any security engineering background.
These people get hired at Executive level just based on their connections/relationships and not merit based.
Rest of the public suffer irreparable damage due to this incompetency.
And the fact that they just don’t care!
Why should they care! It’s YOUR life and reputation and financial existence, not THEIRS! XD
“Remember kids, deregulate.”
Would Equifax’s security problem also affect someone who previously froze their credit history?
Was thinking the same but I do believe this is static reports…..so the data is there. I do know if I want to see mine, I have to unfreeze it so…we may be in good shape
Lesson for all….Freeze your Credit….because
OK, this is it. Our reps are useless; the credit bureau lobbyists just skate down the halls of Congress, tossing bags of money in offices left and right as they go.
I realize the DOJ has a lot on their hands right now, but could a charge of Criminal Negligence be filed against these entities? Can they be dissolved if they can’t be charged? There MUST be a remedy; this cannot go on.
(And TransUnion…personally, their record-keeping/accuracy is the worst of the three…which probably explains why THEY haven’t been hit; all their data is wrong!)
Another un-looked for blowout in Last Stage Capitalism’s Tires, or something…what a mess!
Keep it up, Krebs, you’re batting .750!
Yes. If Snowden and Assange has taught me anything, is that my government has my best interest at heart. I am sure if this was regulated and controlled by the state, all would be well. More power to the state!
I have all of the credit bureaus with a freeze on my account with them. In your article you say they could access all the credit reports. Thus I assume the credit freeze did not protect me. Am I correct?
How many times can a company have data breaches like this before they get shut down?
or can they just keep doing this forever, and – meh – it’s only ‘your’ data.
I suspect that ‘at the most’ they just pay a fee/tax/bribe like every other company, and nobody is ever held responsible.
Always funny to hear people think that the credit bureaus are supposed to police (clean up) all the data that exists about us from everywhere else. I mean they have something like 40,000+ companies and organizations (?) feeding data to them. Business, banks, employers, schools, anyone with a loan and more.
I have an error in my report because some idiot telephone person misspelled my street (e.g. Appell St.? really? if you don’t know how to spell Apple just ask ) in their business database, reported that to all 3 credit bureaus. Experien (whoever) is not in the business of correcting everyone else’s spelling.
But not all errors are harmless. That data sent to the CBs is very dirty, all kinds of mistakes. It is not keyed to uniquely identify people. Wrong SSN’s, wrong spelling, wrong names, wrong address, etc. so IF AND WHEN the wrong data is tagged to your identity then CHALLENGE IT! They have to go back to whomever supplied that data and ask, e.g. “are you sure because the person said this is wrong”, etc. Guess what the bank (whoever) says “of course we are correct”. It works better if you figure out how to call the bank (whomever) directly and argue with them. Fix the SOURCE.
Knowing a bit about big data… I am surprised this systems works even a little. Yes it sucks. No, credit bureaus are not data heaven. I am not defending the CBs per se, they need to be much better! just saying it is a nightmare of a problem.
Don’t like it? pay cash for everything. Never have a loan for anything. Otherwise for the rest of us it is better to figure out how to work the system rather than complain endlessly based on ignorance.
The IRS and other government agencies use the same questions as Experian to verify identity. I am curious to know if these agencies make use of Experian’s authentication process when asking similar authentication questions. If so, were these sites vulnerable during this period?
They’ll offer 12 months of worthless credit monitoring and never pay a fine or have a criminal charge.
23 December 2022 after the announcement: Their stock price went on an upswing. Not a big one, but still.
Summer 2022 Florida’s FBI and the DOJ busted someone on the island of Cyprus, Greece and took down four
SSNDOB domains selling that info for $25. But there are still SSNDOB websites that claim to be .org nonprofits when you simply google search SSNDOB. They claim people’s SSN and DOB info is public information that they still sell for only $25. Doug Shadel of AARP wrote an article in the AARP magazine entitled: “Digital Frankensteins”: Crooks are creating ‘synthetic’ people from your data, to loot banks. It’s one more reason to protect your accounts. This article is an awesome short summary that everyone can understand. Miteksystems .com has an article entitled: “What is synthetic identity fraud?” dated Jan. 21, 2020 that explains this very well also. Since 2017, the Equifax hack of 150 million American’s SSN and DOB were stolen due to Equifax not having properly encrypted all that personal info. I think the FBI has been using voice recognition software for along time and it works well. Biometrics like fingerprints, facial measurements, hand geometry etc. and more are probably needed to be adopted by Banks and the Social Security Adminstration ASAP.
Cyprus is not fucking Greece. Its an independent country.
Everyone knows the three main credit reporting companies, but their is a fourth with a considerable database called Innovis. When I froze my accounts 12 years ago I froze all four. Additionally there are three lesser credit reporting companies, PRBC, SageStream, and Advanced Resolution Service (ARS). I gave up on them 23 years ago when I tried to get TransUnion to fix my report which included data from my ex-wife and her husband, and the person who lived in the house before me. The only good thing is they reported my name with a middle initial which I don’t have. Any mail coming with a middle initial in my name goes straight to trash because I know where they got it from. One benefit of freezing them is no more credit card offers and other junk mail.
A Private company….get’s fined what…$100K per breach. Can this company be handed over to Tax Payers so we can mandate and hire a board.
NO, we dont need the Feds in here….they have their own issues with locking stuff down……get them in here and our CR’s may end up in a Garage of a Politition, next to their $140K Corvette
It’s time for the Private Sector to run stuff like this and accountable to Private Citizens. The CISO for Experian should be sued into oblivion along with the rest of their incompetent staff. We dont have a choice here….and they made OUR info UNSAFE
You don’t understand Capitalization or that taxpayer is one word, but want to run stuff?
Like, ok, but no.
Perhaps this is a dumb question considering, but does anyone have an opinion on signing up for “Protect My ID” from these jokers? I got an email today for a free membership for AAA members. My thinking is that IF I had an issue perhaps they could be of help. I have a freeze there(and at all of them) if that matters.
I would fully ignore that and manually check every other month instead given the 3 agency freeze already.
For analogy purposes.