January 9, 2023

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.


77 thoughts on “Identity Thieves Bypassed Experian Security to View Credit Reports

  1. Sam

    I’m not surprised at all. They don’t care at all about cyber security. And typical for a company like that to not respond to you and quietly patch the bug as if nothing happened.

    I think the way they authenticate using these questions is not even secure because the answers can be found in public databases. Isn’t that correct?

  2. Moike

    “WHAT CAN YOU DO?”
    Well, for starters you can become a congress-person. It’s a sure thing that certain accounts are specially protected and guarded by the bloated credit bureaus to prevent their information from being accidentally leaked, as well as human representatives to spend the time performing authentication and account recovery for the select class of people when required.

  3. John

    Question – doesn’t providing the details in The Freeze request just provide them with accurate information? I go to great lengths to protect my digital identity from social media, etc. As I commented above, I use a local only open source encrypted password safe (and I have reviewed the source code) and treat KBA as another random password or string of passwords

    1. security vet

      …maybe you don’t understand KBA – they pull your credit record and then, for example, you have to say where you lived, or who issued your mortgage loan, etc…

      …how is that a “string of encrypted characters”…?

  4. Ludovic Lalo

    So why all the vehemence directed against Experian and the rest of the lot? Why aren’t people kicking themselves over their own stupidity? People keep complaining about the government, but then go around and re-elect the same—usually a very old white guy who has made his living on the public trough for decades as a career politician—people. This is especially befuddling when it comes to Experian given its repeat online bumbling. Why is Wells Fargo under government lock-and-key for the shenanigans it pulled, but Experian seems to be getting a free pass? And save me the whining over arbitration clauses, especially when there’s an opt-out provision that you failed to exercise—never mind they are allowed to exist to begin with. If every company has the same clause, I.e., try opening a brokerage account sans arbitration or try buying a new car with an “infotainment” center that you need to agree to the Terms of Service on the screen for the car to function, where’s the freedom of choice? Not having a brokerage account is optional when people are now required to save for their increasingly fantastical retirement. Unfortunately, I suspect that the people who need to be reading this site are the ones who scream freedom the loudest, but really have no idea what it means.

  5. Spike

    Senator Ron Wyden does not appear to be a recipient of Experian’s political largess to the Uniparty (see below),

    There will never be any political will, in the DC Swamp, to reign in credit reporting agencies because they are in the same Club (and we ain’t in it).

    2020
    https://www.opensecrets.org/political-action-committees-pacs/experian/C00379768/candidate-recipients/2020
    https://www.opensecrets.org/political-action-committees-pacs/experian/C00379768/donors/2020
    2022
    https://www.opensecrets.org/political-action-committees-pacs/experian/C00379768/candidate-recipients/2022
    https://www.opensecrets.org/political-action-committees-pacs/experian/C00379768/donors/2022

    Experian’s biggest donor, both years: Ravi Devesetti, Senior VP, Chief Technology Officer, Experian Consumer Information Svcs
    https://experianlife.medium.com/creators-of-experian-ravi-devesetti-2b2eb220fac9

    I’m sure Ravi is very proud of these programs
    https://www.experian.com/consumer-products/identity-theft-and-credit-protection.html

    Send him a little note and tell him what Experian can do with their Identity Protection Plans
    https://www.theofficialboard.com/biography/ravi-devesetti-ge108

  6. S

    Just wanted to say THANK YOU to the author of this article.

    EXPERIAN was an absolute nightmare to deal with. Seriously an incompetent shadow company of some sort.

    They repeatedly charged me after I cancelled my subscription to their services. Time and time again I had to call someone and get refunded— and then I stopped bei bc able to reach anyone.

    They could NOT cancel my subscription charge for some reason — no matter how many times we went they the same ordeal. This took about two and a half years to get straightened out and that amounted to endless hours of trying to get someone from their company on the phone. AVOID THIS COMPANY AT ALL COSTS. They are the absolute worst, seriously!

  7. AlanM

    TransUnion may not have the URL replacement thing but it just allowed getting the full credit report for me without asking any multiple choice questions. Just name, address, birthday, and SSN. Through the annual credit report site.

  8. PaulBart

    As for there’s a club, and you ain’t in it comments:
    From Lexis Nexis opt- out site:
    I do not want my information shared
    I am a public/elected Official
    I am a law enforcement officer
    I am a victim of identity theft
    I am at risk of physical harm
    I am a judicial officer

    So if you are a consumer and want your information safe, become a cop, a judge, or get elected . The other options are not recommend to become a part of.

  9. Jeffrey Minner

    Well, congratulations on getting your credit fixed and buying a new house! Credit reports can be a hard thing to work with them fix unless you are very knowledgeable when it comes to credit repair. Best of luck to you!

  10. RD

    Got my $5.21 from Equifax today
    for the data breach not sure what I’m going to do with all this money.
    01.13.23

  11. CJ SMITH

    My identity was stolen, probably from the Equifax hack, and the damage was illegal credit card charges, and two fradulent accounts. I was lucky to discover the card charges within hours and notified them. However, the Comcast and T-Mobile accounts went to collections before I learned of them. That’s when I spent days on the phone, with email, and registered mail to control the damage in addition to Consumer agencies. There were numerous errors with the four credit reporting agencies. The worse to deal with were Experian and Equifax. They willfully ignored legal requests for information as required by law and even refused to remove an incorrect name from my credit report… that of the person who commited the fraud. A police detective in Michigan called me and provided with the name of the person who made the illegal charges. Nobody at Experian would respond except with a standard form reply. It was much the same with Comcast and T-Mobile, who totally ignored the proof of identity theft and replied I should pay my bills. I have had credit 58 years, in that time my only error was one late payment for about $18. The crediit reporting agencies act well outside any control. I use Credit Freezes and strongly suggest everyone should.
    Footnote: The reporting agencies were quick to offer credit monitoring services for a steep fee however. Usually there is a pitch for them at the top of their page where you are taken to see your report. You need to go to the bottom of the page for the free, legally mandated link though.

    1. Jack

      The Equifax hack (2017) was done by the Chinese Communist Party (CCP) specifically their military espionage unit. They attacked all the credit bureaus as a focused attack on that industry (they then developed their own “good communist score” system). Check the Wikipedia entry if you need a quick 30 second fact check. That data was never “sold” on the dark web for criminals to take advantage of, and there is zero reason to believe any identity theft was related to that.
      Realistically, we all have to realize that our data has been stolen HUNDREDS of times that we never knew about. MOST breaches are not detected by the company and they usually can’t tell what data was specifically taken.
      I don’t like to be cynical, but … Human nature = We want to believe some story or narrative, and we don’t really seem to care how accurate it is. As long as we get to blame someone for whatever ails us and we don’t have to think too hard about it.

  12. Susie Ingram

    All of these credit reporting agencies need to be abolished completely. They are nothing more than a clearing house for identity theft. I have yet to hear of even 1 person who did not have inaccuracies in their report. The make it impossible to fix & completely ignore the law. I finally got a copy of my report from LexisNexis (used by auto insurance companies to calculate your rates) and found 87 errors! 87! Shut them all down.

    1. Jack

      You are only looking at the down-side. Go cash only then. Don’t expect any business to trust you enough to provide any goods or services except as pre-paid. Down payment deposits required for everything. iPhone? Pay $800 right now. There are no installment plans. Turn on electricity? Deposit $1000. Car insurance? deposit $25,000 for a bond.
      You might look into how credit works (or doesn’t) in countries that don’t have credit bureaus. Also, the indirect economic impact it has on things like creating jobs and businesses. Very few people seem to understand the up-side to our (admittedly) imperfect credit systems.
      By the way, the identity thieves will still break into those businesses that have your data. Banks, schools, governments, etc. (as they do today). The credit bureaus are not the primary source of identity theft information.
      Abolishing CBs won’t impact identity theft, likely make it worse because then companies can’t cross-reference anything or find a fraud alerts. That would be like during the Black Death people killing cats as the devil’s agents, when the plague was actually spread by the fleas on the rats. You know, the things that the cats were actually suppressing. Let’s not do the dumb thing because we don’t know any better.

  13. James

    There is a lots of credit reporting agencies out there these days. But I will say this, many of companies are identity theft. The few good one out there help you built your credit, the bad once help you get in more debt.

    Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

    “If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

    1. Brian

      LOL, Elected officials take a lot of abuse these days; much of it for good reason. Its nice to see folks giving kudos when they’re due!

  14. H

    I also recently had an issue Identify fraud that I found out about when collections reached out. Turns out someone opened a Comcast/Xfinity account in 2021 and it was just turned over to collections. My credit is frozen at the 3 main bureaus and Comcast could explain why the account was opened given that fact. They wanted me to call new accounts customer service to ask what they use. Frustrated with all the personal info I had to provide Comcast to prove it wasn’t my debt and start fraud claim. I know collections has to prove it is your debt why does the Company that claimed you owe them money? Instead I have to prove my identity and where I live.
    Thought the freeze would prevent this.

  15. Jim

    My Experian email address and password were changed on 1/22, our credit freeze was removed, and within 10 minutes two credit cards were applied for in my name/SSN/etc. using a new Yahoo email address (a variation of my name) created by the identity thief. The same day my wife’s Experian account was also hacked, her email changed, and her credit freeze removed. It took hours on the phone with Experian to regain access to my account and reinstate the credit freeze. My wife still can’t get into her Experian account. Experian claimed that someone had created a new account for each of us but that makes no sense because I received an email (at my correct email address) about the credit freeze removal on my (original) account. Of course, they had no record of a second account because there never was one. They repeatedly offered and insisted on closing my account as the only solution to the problem. They must have been aware of the security loophole mentioned in your article but refused to admit that, repeating the same invalid argument about a duplicate account (that never existed).

  16. Berenice Smith

    I lost all my life crypto savings on my Trust Wallet and I couldn’t explain if it was a phishing link I entered or what but all I can say is my wallet was wiped. I read some much about a Money Recovery expert who I decided to contact and trust me, he didn’t disappoint. He recovered all the lost tokens as well as my coins (bitcoin and ethereum) worth about $186,000 as of then. His charge was moderate and he kept me informed about every step. You can reach him via (Backendrecover AT Rescueteam doot c o m)

Comments are closed.