Experian’s Treasure Trove Of PII Breached By Simply Altering URLs

from the collecting-it-all-just-to-give-it-away dept

Data brokers like Experian and Equifax pose tempting targets for malicious hackers looking to find another source for personal info they can hawk online to other malicious people. The sad thing is, no one really needs to hack their databases. They’re more than willing to just leave them exposed.

In 2017, Equifax leaked personal info pertaining to nearly half the nation (143 million people). The credit reporting agency knew of the breach as early as July but didn’t get around to notifying affected people for another couple of months. A few wrist slaps later and Equifax is still making millions while affected US residents are being asked to make do with [squints at recently received Equifax settlement check] $7.85.

Experian has its own sordid history. Not only has it been fined multiple times for misleading people about access to free credit reports mandated by federal law, it was caught selling personal info to a Vietnamese fraudster who sold this illicitly obtained stash of PII to others.

Brian Krebs was the one who broke that story in 2013. He’s on the leading edge of this one as well, which shows Experian hasn’t gotten any better at protecting the massive amount of personal info it obtains from millions of Americans who have zero say in the matter.

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

Asking people to input the Big Four of PII to access their credit report via an online form is already careless. Compounding this is Experian’s ongoing disinterest in fulfilling its federal obligations to supply free credit reports. The data leak involves Experian’s verification process that is triggered by visitors to freecreditreport.com, the website through which Americans can access their federally mandated free credit reports.

Brian Krebs was alerted to this leak by Jenya Kushnir, a Ukrainian security researcher who had come across the security hole while lurking on Telegram chat channels used by identity fraudsters. He decided to take the reported breach for a spin, starting with a stop at freecreditreport.com. From there, he was sent to Experian’s site for ID validation, where problems began to develop.

[W]hen I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

So far, so good, I guess. This would prevent fraudsters from utilizing info obtained from other breaches to access people’s credit reports. If only it had ended there. Turns out there’s a workaround, and it’s really not any work at all.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

So, without successfully performing any ID verification, Experian allowed access to a full credit report via URL alteration. That should never happen, but it’s the sort of thing that happens all too frequently. Massive corporations that have all the expertise and money needed to secure personal info somehow fail to do so with alarming frequency. And when they’re exposed, they often try to find ways to shoot the messenger or punish those who interact with their sites in unexpected ways.

Experian was notified by Krebs last month but never responded. The breach method, however, was silently patched out of existence at some point between Krebs’ Experian experiment and its acknowledgment of his breach report four days later. Adding insult to injury, Krebs notes the report he obtained was full of errors, meaning he’ll have to interact with the service that failed to protect his info multiple times to get his credit report fixed.

And, once again, a credit reporting service — one that Americans can’t opt out of having their personal information shared with — has played fast and loose with the wealth of PII it collects and sells access to. Krebs’ full report is a great, if depressing, read that helpfully provides details on other times Experian has failed to properly secure this data. Unfortunately, the most Americans can hope for is that they won’t be cut off from accessing their free credit reports because of credit reporting service incompetence. If the Equifax breach is any indication of future results, these companies will continue to be careless because they’ve been assured they’ll never truly be punished for fucking things up.

Filed Under: , , ,
Companies: experian

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Experian’s Treasure Trove Of PII Breached By Simply Altering URLs”

Subscribe: RSS Leave a comment
Ehud Gavron (profile) says:

I got $6

Tim, congrats on getting $7. I got $6 and am still figuring out where to spend my windfall.

Experian and the other two make a big deal of securing the data. Clearly they don’t.

Companies that carelessly (malfeasance) allow PII to be leaked often get no more than a slap on the wrist and instead of accounting for the huge headache that card theft and identity theft — offer a free year of Norton Lifelock.

Norton Lifelock couldn’t safeguard the security of its own CEO’s data… and now we see they couldn’t safeguard the security of its users. So if you get hacked, the answer isn’t to get Norton (and get hacked again).

Companies that leak PII should be held accountable and provide REAL compensation for the damage they cause, just like a bank that gives away your money, an insurance underwriter who won’t pay your claim, or a politician that doesn’t live up to their election platform.

I’m afraid to offer the $6 as a tip on a $30 lunch… the server may pull out his/her own check and it might be bigger.


Anonymous Coward says:

Should be opt-in

And, once again, a credit reporting service — one that Americans can’t opt out of having their personal information shared with

Even if one could opt out, that wouldn’t be good enough. Such things should always be opt-in, and truly voluntary. No forced “opting” in because you signed up for a credit card or something. Companies can give “unknown” customers a low credit limit to start with, or ask for a deposit, which is how things used to work anyway.

And one certainly shouldn’t have to give these agencies even more personal data—like ID scans—to get data deleted.

ECA (profile) says:


The problem here?
Is very simple. It has nothing to do with you. Its the corps and banks that WANT the info. Then the Landlords found out, Then the police found out. And the FBI have always like it.
Take a Federal Social security card and turn it into a FUll blown Identification. and NOT a good one.
Then BYPASS the law that requires that IT NOT be used as ID, and you have bagged and tagged most of the USA people.
But the HOLES ARE BIG. 9 digits, to cover 300,000,000 people. Not counting those already DEAD? Temp numbers for those from other countries working here. And Cards that have had a few changes over the years, WITHOUT getting rid of the old ones.

Anathema Device (profile) says:

Such a basic site coding issue

If I, with my fairly unsophisticated set of skills in website and database coding, know enough that at minimum you should have a cookie set validating the user before you get anywhere near identifying data, then the people being paid thousands and thousands of dollars to code Experian’s shit should know it.

This is laziness. Not even cost cutting. Just sheer, bloody can’t be botheredness on the part of a probably a very low level manager.

Another anonymous coward says:

Since these companies’ business is to sell everyone’s personal info to absolutely anyone who will pay for it the only effect of a so called data breach is that they accidentally fail to make money off your/my/everyones’ personal info. The level of security or confidentialiy around that info would seem to be absolutely the same either way.

RxB says:

Say what you will about EU GPDR but..

Most of its content is made to actually deal with this kind of incompetence, forcing corporations to actually pay attention to the security of PII, and enforcing possibly very large fines if they fail to do so.

Sure, it is a pain in the butt to deal with, and it led companies to reinforce the use or dark patterns in their cookies banners, but ultimately it also makes them more responsible with their users data, for fear of being hit with a very large stick.

naoEntendo (profile) says:

The rest of the country needs a CCPA

Checked and saw that I had an old Experian web account, so I went to delete it.

There’s no way to delete your account on the web site. It says to email your request. So I email my request.

Email says there’s no way to delete your account via email you have to phone in your request. So I phone in.

I get a nice fella that says they can ‘deactivate’ your account. I say I want to delete it. He says I can’t AND they keep my data forever. I ask for a supervisor.

Get the nice supervisor, she admits that they can only keep your data for six years and asks if I want a ‘hard’ deactivation, which means they won’t spam your email address. She says if I really want my data deleted I have to go to this website:


Unfortunately, they’ll only honor your request if you happen to live in CA.

The rest of the country needs it’s own CCPA.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...