Credit reports on data analytics and consumer credit reporting company Experian could be viewed without answering the security questions asked to access the website. Jenya Kushnir, a security researcher from Ukraine, informed journalist Brian Krebs about the glitch in the American Irish company, who later alerted them after investigating the glitch.
KrebsOnSecurity published a report highlighting how the author was able to skip the security step and access his credit report just by tweaking the website URL.
According to the report, the specific glitch has been patched. However, it is unclear what data has been exposed and accessed by cybercriminals so far.
Victims of the breach have been offered free credit monitoring services in one of the three main companies that, include Equifax and TransUnion, besides Experian.
Experian security flaw: How was it discovered?
Jenya Kushnir discovered identity thieves using the method through Telegram chat channels. These chats were about selling and buying user data leaked after cyberattacks, likely on various companies.
Through the chats, Kushnir found that the cybercriminals had learned a way to bypass the security wall of the credit reporting company and gain access to the credit reports of others.
In an email to KrebsOnSecurity Kushnir wrote, “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”
Following this, Krebs investigated it further to find that by slightly changing the last bit of the website URL from /acr/OcwError to /acr/report, the credit report can be accessed.
Krebs followed the instructions given by the researcher, which at that time didn’t allow the security bypass to allow viewing of the credit report on Experian. However, eventually, it did just by changing the last part of the URL of Experian without answering the security questions.
After confirming the flaw, Krebs informed the company on December 23, 2022 and received a response from Experian on December 27 acknowledging the receipt of the email and nothing thereafter. This was likely when they patched the flaw in the systems because it didn’t work thereafter.
The issue was detailed by Krebs to Senator Ron Wyden (D-Ore), who expressed his concern by saying, “The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight.”
Senator Wyden was referring to another cyber incident in July 2022 for which his office made several briefing requests to Experian about cybersecurity lapses.
The Credit Report
The credit report accessed by Krebs was full of errors, as was the report accessed by his friend, who followed the same procedure to bypass security on the website. The friend confirmed that the URL could be altered to access the data of users.
All it needed was the user’s name, address, birthday and social security number. Following this, the report was open for viewing. No questions about the user’s financial history were asked to access the credit report on Experian.
Experian offers its services to over 1 billion customers, which increase after victims of cybercrime are directed to it for free credit monitoring. After being victimized of security incidents, consumers of attacked companies are directed to Experian and similar companies to monitor their credit.
