Experian Website Loophole Allows Hackers to Access Credit Reports for Unknown Amount of Time
Table of Contents
- By Steven
- Jan 11, 2023
Experian is one of the largest credit bureaus in the world. It serves over a billion people, about 235 million of whom are Americans. This is not the first time in recent months that massive issues have been discovered within one of the “Big Three” credit unions (TransUnion, Experian, and Equifax), as we saw a massive leak on TransUnion in late 2022. The TransUnion breach affected almost every active credit user in the country, so the outside effect can only be devastating.
How the Loophole Came to Be
A man by the name of Jenya Kushnir lives in Ukraine and is a cybersecurity researcher. He found a loophole on a credit reporting website that allowed him – and others – to access other people’s credit reports with practically no verification. Upon reaching the website, Kushnir would input certain bits of his PII (personally identifying information), including his address, social security number, name, and birthday. Bear in mind that these details are relatively easy for hackers to access. After this, Kushnir would be rerouted to Experian’s website to complete a verification process. Usually, the website would require you to answer some multiple-choice questions, and the only person to realistically know the answers would be you.
Others Found the Same Results
Through Telegram chat channels run by identity thieves, Kushnir found that by replacing the end of the URL, which read “/acr/oow/” to “/acr/report,” he would be able to access his – or anyone else’s – credit report without verifying his identity. He reached out to KrebsOnSecurity, a cybersecurity news website, explaining the breach and encouraging the writer responsible for the site to apply the same method. Not only did the site owner do so and find the same results, but he also found massive discrepancies in his report; for instance, his “past phone numbers” list contained multiple inaccurate numbers. So astounded by Experian’s lack of correctness, he reached out to another cybersecurity expert who experienced the exact same things on the site.
Experian Fixed the Issues Since It Came to Light
Experian has been contacted for comment from multiple news outlets, though no comment has come from the bureau. It is unclear how many people were affected or how long the exploitation was available, but it is no longer in effect. About four days after being alerted to the loophole, Experian fixed its site, removing the ability to wrongfully access credit information. Some solace may be offered in the fact that a good portion of the accessed information was incorrect, anyway.
Like with all other breaches, we want nothing more than for everyone to remain safe and vigilant. Luckily for anyone involved, there is help. Investing in identity monitoring services will help keep you and your loved ones safe and secure. Of course, this isn’t an ideal scenario in any way, but there are steps we can take to better the situation. If you believe your information is at risk, make sure to keep track of your credit report and all your financials. Those are the first places you will likely notice any discrepancies.