Identity thieves crack major Experian security flaw, access customer credit reports
Getting access to Experian reports was as easy as tweaking the URL address
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The website of consumer credit reporting giant Experian carried a major privacy vulnerability that allowed hackers to obtain customer credit reports, and all it took was a littleidentity data, and a little tweak to the address displayed in the URL bar, experts have revealed.
Cybersecurity researcher Jenya Kushnir discovered the flaw on Telegram, after observing hackers selling stolen reports, and worked withKrebsOnSecurityto investigate it further.
The idea was simple - if you had the victim’s name, address, birthday and Social Security number (all of which might be obtained from a previous incident), you could go to one of the websites offering free credit reports, and submit the data to request one. At that point, the website would redirect you to the Experian website where you’d be required to submit more personally identifiable information, such as questions about previous addresses of living and such.
Experian hack
And here is where the flaw is exploitable. There is no need to answer any of those questions - all you’d need to do at this point is simply change the address displayed in the URL bar, from “/acr/oow/” to “/acr/report,” and you’d be presented with the report.
While testing the concept, Krebs found that tweaking the address first redirects to “/acr/OcwError”, but trying the tweak again worked: “Experian’s website then immediately displayed my entire credit file,” the report states.
Check out the best firewalls around>Experian accounts could still be at risk from hackers>Credit scores of millions of Americans have been exposed online
The good news (if it can be seen as such) is that Experian’s reports are filled with inaccuracies. In the case of Krebs, it held numerous phone numbers, only one of which was owned by the author, some time in the past.
Experian remains quiet about the matter, but the problem seems to have been fixed in the meantime. We don’t know for how long the flaw was active on the site, or how many reports were fraudulently generated during that time.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
This can’t get any better for Black Friday – LG’s B4 OLED TV drops to just $649.99
