But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report. 23 notification, but the company has so far ignored multiple requests for comment or clarification.īy the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages. Now I know why Experian has NEVER let me view my own file via their website. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.īut that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed - modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.Įxperian’s website then immediately displayed my entire credit file.Įven though Experian said it couldn’t tell that I was actually me, it still coughed up my report. It wouldn’t even show me the four multiple-guess questions. Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.īut when I tried to get my report from Experian via, Experian’s website said it didn’t have enough information to validate my identity. Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?” After I supplied that and told I wanted my report from Experian, I was taken to to complete the identity verification process. Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.įollowing Kushnir’s instructions, I sought a copy of my credit report from Experian via - a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.Ī begins by asking for your name, address, SSN and birthday. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.” “I want to try and help to put a stop to it and make it more difficult for to access, since not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities. The Experian breach included names, addresses, dates of birth, Social Security numbers, identification numbers, such as driver’s license and passport numbers, and related information used in T-Mobile’s own credit assessments.The vulnerability in Experian’s website was exploitable after one applied to see their credit file via. In September 2015, Experian reported it experienced a data breach in which an unauthorized actor gained access to part of its network that stored personal information on behalf of its client, T-Mobile. Their systems were vulnerable to a massive data breach, and the personal identifying information for millions of Americans was put at risk.” Experian, T-Mobile suffer major data breaches “Experian and T-Mobile failed in their responsibility to safeguard consumers’ personal information. “These data breaches will keep happening until we force change in corporate behavior,” Pennsylvania Attorney General Josh Shapiro says. Under the settlements, the companies agreed to improve their data security practices. T-Mobile will pay $2.5 million in connection with the 2015 breach, which affected 15 million people who filed credit applications with the company.
0 Comments
Leave a Reply. |