Experian Security Flaw Exposes Accounts, Allows Unauthorized Access for Over a Year

112
Experian Security Flaw Exposes Accounts, Allows Unauthorized Access for Over a Year
(Image: pixabay.com / Mohamed_hassan)

The Dublin-based credit reporting agency Experian, operating in over 90 countries, reportedly still hasn’t addressed a longstanding security issue allowing attackers to take over user accounts after almost 1.5 years. This information comes from a report by security journalist Brian Krebs, who claims to have initially documented the problem in the summer of 2022.

“I know this because my Experian account was recently hacked, and I could only regain access by creating a new account,” explains Krebs in his post. The account breach became apparent when the journalist couldn’t log in while trying to request a copy of his credit report. He discovered that his user account was linked to a foreign email address.

Krebs suggests that existing accounts can be easily taken over by re-registering them with the same personal information as before but with a different email address. Using this method, the security expert regained access to his Experian account.

While the company requested a phone number for identity verification, Krebs claims that a foreign number could be entered without actual verification. Alternatively, this step could be entirely skipped.

“Experian then asks for your full name, address, date of birth, Social Security number, email address, and chosen password,” Krebs continues. Following this, there are multiple-choice security questions. In Krebs’ case, these seemed to be based on publicly available information easily discoverable through a Google search.

Notification emails are purely informative

After creating a PIN and answering predefined questions, he completed the account creation process. “You’re directed to the Experian dashboard, where you can view your complete credit report and freeze or unfreeze it,” says Krebs.

The journalist claims that Experian sends a message to the old email address previously associated with the account, but it only contains an informative notice about the profile changes. There is reportedly no security prompt to verify the alterations.

On Mastodon, Krebs received several indications that other users had similar experiences recently. “I feel silly saving my password for Experian; I might as well create a new account every time,” joked one of them.

READ MORE: Windows 11 Enhances File Compression, Introducing Support for Tar and 7z Formats

Previous articleWindows 11 Enhances File Compression, Introducing Support for Tar and 7z Formats
Next articleBMW’s Sustainable Cobalt Supplier Accused of Environmental Pollution and Health Risks in Morocco
Michael Lynch
With a passion for cybersecurity, Michael Lynch covers data protection and online privacy, providing expert guidance and updates on digital security matters.