The credit monitoring giant Experian exposed credit reports to cyber criminals after its website was found to have a critical vulnerability.
Investigative journalist Brian Krebs has revealed startling details of a security vulnerability on the official website of Experian, a global leader in consumer and business credit reporting. According to Krebs, the vulnerability was being exploited by identity theft scammers meanwhile Experian had no idea about it.
Typically, Experian offers credit reports after people answer several multiple-choice questions related to their financial background. However, by the end of 2022, the Experian website was allowing users to bypass these MCQs and directly access the report after entering their name, birth date, address, and Social Security Number.
Brian Krebs was tipped by a Ukraine-based security researcher Jenya Kushnir about this glitch, which was being exploited by identity thieves as they could obtain stolen identities through Telegram chat channels dedicated to this purpose. In an email to Krebs, Kushnir wrote:
“I want to try and help to put a stop to it and make it more difficult for to access, since not doing shit and regular people struggle. If somehow I can make a small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”
According to Kushnir’s findings, cybercriminals could trick the Experian website into allowing them access to any user’s credit report simply by editing the address in the browser URL bar at some point during the identity verification process.
Krebs then cross-checked Kushnir’s claims by seeking a copy of his credit report from Experian through annualcreditreport.com. This website offers Americans a free copy of their credit report once a year.
The report is issued by three major reporting bureaus. The visitor has to provide their name, birth date, address, and Social Security Number. When Brian Krebs provided this information, he was redirected to Experian.com to finish identity verification. That’s the stage when the MCQs appear.
However, Krebs learned from Kushnir that at this stage, if he changes the URL’s last part from “/acr/oow/” to “/acr/report,” his credit report will appear. When he was redirected to the Experian website, it didn’t display the MCQs and the URL “/acr/OcwError” was displayed, stating that it didn’t have sufficient data to verify his identity. Next, the site offered Krebs three options:
- Send an email for a credit report with identity verification documents;
- Call Experian;
- Upload identity proof on the website.
But, when Krebs changed the URL to “/acr/report” as Kushnir had told him, he was shown his full credit file even though Experian couldn’t verify his identity.
Brian Krebs shared his findings with Experian on 23 December 2022 and the notification was acknowledged by the company’s PR team on 27 December 2022. During this time, the exploit was patched. It is, however, unclear for how long this issue was known to identity thieves and was being exploited.
Experian Security and Data Breaches
Experian is one of the world’s leading credit reporting agencies that collects and aggregates information on over 1 billion people and businesses. It has access to data from 235 million individual U.S. consumers, as well as 25 million U.S. businesses, making it a powerful tool for financial institutions, employers, landlords and more.
However, at the same time, Experian is also known for large-scale data breaches and critical security flaws. A few years ago, one such flaw allowed attackers to obtain customers’ account access and their credit freeze PIN numbers.
In August 2020, it was revealed that Experian suffered a massive data breach in which the personal details of 22 million customers were stolen. In another incident, Serasa Experian, Brazil chapter of Experian, suffered yet another data breach in which 223 million people had their data leaked on a hacker forum.