A security flaw on Experian’s website allowed identity thieves to bypass security questions on the site and access anyone’s credit report using their name, address, birthday and Social Security Number, at least until the end of 2022.
The issue was discovered by a Ukrainian security researcher Jenya Kushnir who found the method being exploited on Telegram channels to cash in on these stolen profiles. Kushnir brought this to the attention of KrebsOnSecurity in December, stating that thieves can bypass these questions by editing the website’s URL at a specific point in Experian’s identity verification process.
According to Kushnir, changing the URL from /acr/oow to /acr/report on the identity verification page would skip the security questions and show the report immediately.
As tested by KrebsOnSecurity, the site still had the bug. However, it showed a document verification page instead of showing security questions. The exploit still worked as it should. Not to mention the multiple errors Krebs found in his Experian credit report, including a phone number that he hadn’t owned “for ages”.
Following this, Krebs also asked another source to confirm whether or not the exploit was working. Her report was also accessible by changing the URL and was full of errors as well.
The findings were shared with Experian on December 23, and the company’s PR team acknowledged it on December 27. The exploit had been fixed by then, but the company has ignored any requests for comment or clarification. It also remains unclear exactly for how long Experian’s website has been vulnerable to this exploit.