Experian’s Treasure Trove Of PII Breached By Simply Altering URLs

Data brokers like Experian and Equifax pose tempting targets for malicious hackers looking to find another source for personal info they can hawk online to other malicious people. The sad thing is, no one really needs to hack their databases. They're more than willing to just leave them exposed.

In 2017, Equifax leaked personal info pertaining to nearly half the nation (143 million people). The credit reporting agency knew of the breach as early as July but didn't get around to notifying affected people for another couple of months. A few wrist slaps later and Equifax is still making millions while affected US residents are being asked to make do with [squints at recently received Equifax settlement check] $7.85.

Experian has its own sordid history. Not only has it been fined multiple times for misleading people about access to free credit reports mandated by federal law, it was caught selling personal info to a Vietnamese fraudster who sold this illicitly obtained stash of PII to others.

Brian Krebs was the one who broke that story in 2013. He's on the leading edge of this one as well, which shows Experian hasn't gotten any better at protecting the massive amount of personal info it obtains from millions of Americans who have zero say in the matter.

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian's website allowed anyone to bypass these questions and go straight to the consumer's report. All that was needed was the person's name, address, birthday and Social Security number.

Asking people to input the Big Four of PII to access their credit report via an online form is already careless. Compounding this is Experian's ongoing disinterest in fulfilling its federal obligations to supply free credit reports. The data leak involves Experian's verification process that is triggered by visitors to freecreditreport.com, the website through which Americans can access their federally mandated free credit reports.

Brian Krebs was alerted to this leak by Jenya Kushnir, a Ukrainian security researcher who had come across the security hole while lurking on Telegram chat channels used by identity fraudsters. He decided to take the reported breach for a spin, starting with a stop at freecreditreport.com. From there, he was sent to Experian's site for ID validation, where problems began to develop.

[W]hen I tried to get my report from Experian via annualcreditreport.com, Experian's website said it didn't have enough information to validate my identity. It wouldn't even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

So far, so good, I guess. This would prevent fraudsters from utilizing info obtained from other breaches to access people's credit reports. If only it had ended there. Turns out there's a workaround, and it's really not any work at all.

But that didn't stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed - modifying the error page's trailing URL from /acr/OcwError" to simply /acr/report".

Experian's website then immediately displayed my entire credit file.

So, without successfully performing any ID verification, Experian allowed access to a full credit report via URL alteration. That should never happen, but it's the sort of thing that happens all too frequently. Massive corporations that have all the expertise and money needed to secure personal info somehow fail to do so with alarming frequency. And when they're exposed, they often try to find ways to shoot the messenger or punish those who interact with their sites in unexpected ways.

Experian was notified by Krebs last month but never responded. The breach method, however, was silently patched out of existence at some point between Krebs' Experian experiment and its acknowledgment of his breach report four days later. Adding insult to injury, Krebs notes the report he obtained was full of errors, meaning he'll have to interact with the service that failed to protect his info multiple times to get his credit report fixed.

And, once again, a credit reporting service - one that Americans can't opt out of having their personal information shared with - has played fast and loose with the wealth of PII it collects and sells access to. Krebs' full report is a great, if depressing, read that helpfully provides details on other times Experian has failed to properly secure this data. Unfortunately, the most Americans can hope for is that they won't be cut off from accessing their free credit reports because of credit reporting service incompetence. If the Equifax breach is any indication of future results, these companies will continue to be careless because they've been assured they'll never truly be punished for fucking things up.