After its website had a critical vulnerability, Experian credit monitoring company exposed credit reports to hackers.
Brian Krebs, an investigative journalist has disclosed startling information about a vulnerability in the Experian website. Experian is a world leader in business and consumer credit reporting. Krebs claims that the vulnerability was exploited by fraudsters, while Experian did not know about it.
Experian typically offers credit reports to people who answer multiple choice questions about their financial history. Experian’s website allowed users to access their credit reports directly after they entered their names, addresses, and social security numbers.
Jenya Kushnir, a security researcher based in Ukraine, tipped Brian Krebs about the glitch. She explained that identity thieves could use it to obtain stolen identities via Telegram chat channels specifically designed for this purpose. Kushnir sent Krebs an email with the following:
I want to make this more accessible and stop it from happening. Regular people don’t have the means to do it. I feel like I made a difference and that it helped other people.
Kushnir discovered that cybercriminals can trick Experian to allow them to access any user’s credit reports by simply editing the URL in their browser bar during identity verification.
Krebs then cross-checked Kushnir’s claims by seeking a copy of his credit report from Experian through annualcreditreport.com. The website gives Americans an annual free credit report.
Three major reporting agencies issue the report. Each visitor must provide his/her name, birthdate, address and Social Security number. Brian Krebs submitted this information and was directed to Experian.com for identity verification. This is the moment when the MCQs are displayed.
Krebs was able to learn from Kushnir, however, that if Krebs changes the URL’s final part from “/acr/oow/”, it will show his credit report. He was then redirected to Experian. However, the Experian site didn’t show the MCQs. Instead, the URL “/acr/OcwError”, which stated that the website didn’t have enough data to confirm his identity, was displayed. Krebs was then offered three choices by the Experian website:
- For a credit report and identity verification documentation, send an email
- Contact Experian
- You can upload your identity documentation to the site.
Krebs, however, changed his URL to “/acr/report”, as Kushnir told him. He was then shown all of his credit files, even though Experian could not verify his identity.
Brian Krebs of his research with Experian, 23 December 2022. The notification was received by Experian’s PR department on 27 December 2022. The exploit was fixed during this period. However, it is not clear how long the issue was being used by identity thieves.
Data Breaches and Experian Security
Experian, one of the most respected credit reporting agencies in the world, collects data on more than 1 billion individuals and companies. Experian has access to the data of 235 million U.S. individuals and 25 million U.S. companies. This makes it an invaluable tool for employers, landlords, financial institutions, and other stakeholders.
Experian has been known to be a victim of large-scale data breaches as well as critical security vulnerabilities. that allowed hackers to gain customer account access and credit freeze PIN numbers, was discovered a few years back.
. This breach saw 22 million customer’s personal information stolen. : Experian’s Brazil Chapter, Serasa Experian suffered yet another data leakage in which data of 223 million individuals was leaked to a hacker community.