On December 23, 2022, KrebsOnSecurity alerted the three major consumer credit reporting agencies Experian that identity thieves had figured out how to bypass its security and gain access to any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth and social security number. Experian corrected the error but remained silent about the incident for a month. However, this week Experian acknowledged that the security breach persisted for nearly seven weeks, between November 9, 2022, and December 26, 2022.
The tip about the Experian vulnerability came from Jenya Kushnira security researcher based in Ukraine who said he discovered the method was being used by identity thieves after spending time Telegram chat channels dedicated to cybercrime.
Typically, Experian’s website will ask a series of multiple-choice questions about one’s financial history as a way to validate the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report simply by editing the address that appears in the browser’s URL bar at a certain point in Experian’s identity verification process.
When I tested Kushnir’s instructions about my own identity with Experian, I found that I was able to see my report, even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found that she could also bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.
Experian acknowledged receipt of my report on December 23rd four days later on December 27th, one day after Kushnir’s method stopped working on Experian’s website (the usage worked as long as you got to Experian’s website via annualcreditreport.com – since was mandated to provide a free copy of your credit report from each of the major bureaus once a year).
Experian never responded to official requests for comment on that story. However, earlier this week I received an otherwise unhelpful letter via snail mail from Experian (see image above) stating that the weakness we reported persisted between November 9, 2022 and December 26, 2022.
“During this period, we experienced an isolated technical issue where a security feature may not have worked,” Experian explained.
It’s not entirely clear if Experian sent me this paper notice because they legally had to, or if they felt I deserved a written response and thought they might kill two birds with one stone. But it’s pretty crazy that it took them a whole month to notify me of the potential impact of a security flaw that I notified them about.
It’s also kind of crazy that Experian didn’t just include a copy of my current credit report with this letter, which is confusingly worded and sounds like they suspect someone other than me may have accessed my credit report without any kind of screening or authorization.
After all, if I hadn’t approved the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I have the same visibility in my own credit file as them?
Instead, their woefully inadequate letter directs me once again to wait endlessly for an Experian representative over the phone or sign up for a free year of Experian monitoring of my credit report.
As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, the majority of the information in that credit report is not mine. So I have that to look forward to.
If there’s a silver lining here, I suppose if I were Experian I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear that this company has no idea who I really am. And in a strange, kind of sad way, I think that makes me happy.
For thoughts on what you can do to minimize your exposure and overall value to the credit bureaus, see this section of the latest Experian story.