A security flaw on Experian’s website allowed identity thieves to bypass security questions on the site and access anyone’s credit report using their name, address, birthday and Social Security Number, at least until the end of 2022.Â
The issue was discovered by a Ukrainian security researcher Jenya Kushnir who found the method being exploited on Telegram channels to cash in on these stolen profiles. Kushnir brought this to the attention of KrebsOnSecurity in December, stating that thieves can bypass these questions by editing the website’s URL at a specific point in Experian’s identity verification process.Â
According to Kushnir, changing the URL from /acr/oow to /acr/report on the identity verification page would skip the security questions and show the report immediately.Â

As tested by KrebsOnSecurity, the site still had the bug. However, it showed a document verification page instead of showing security questions. The exploit still worked as it should. Not to mention the multiple errors Krebs found in his Experian credit report, including a phone number that he hadn’t owned “for ages”.Â
Following this, Krebs also asked another source to confirm whether or not the exploit was working. Her report was also accessible by changing the URL and was full of errors as well.
The findings were shared with Experian on December 23, and the company’s PR team acknowledged it on December 27. The exploit had been fixed by then, but the company has ignored any requests for comment or clarification. It also remains unclear exactly for how long Experian’s website has been vulnerable to this exploit.Â
In the News:Â ChatGPT clone app hits the top paid app charts on iOS
My name is Jenya Kushnir I am the one who found this bug.
I have tried to contact Experian myself to let them know they have a big problem but like always got bs run around and no clear response, after that I tried to find a bug bounty program to see if I can submit a report but found out later that they don’t do this kind of programs, it’s really bad as I think it who’d helped a lot.
I think that companies like Experian, TransUnion, and Equifax should think about investing some of the money they make from reselling data from a Billion dollar market into their security a little bit more, and invest in bug bounty programs that way it will help avoid this kind of problems.
So what I did next was contact Brian at krebsonsecurity and told him what I have found.