Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims.
The credit-monitoring agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism that's supposed to stop fraudsters from exploiting stolen personal information, such as names and social security numbers, to obtain credit using someone else's identity.
However, according to financial advice site Nerdwallet this month, the credit monitoring agency had a glitch in its online account recovery process that, when exploited, could leak a stranger's recovery PIN. A miscreant could then use that number to reverse an account freeze and free up funds for plundering.
T-Mobile US hires someone other than bungling Experian to offer ID theft monitoring to hack victimsREAD MORE
The (since fixed) bug would allow anyone who knew a person's name, address, social security number, and date of birth to have a PIN cod sent to an email address of the attacker's choosing. Recovery questions designed to prevent account theft could be circumvented by setting all answers to "none of the above."
"The form required an email address, which didn’t necessarily have to be the one associated with the person’s Experian account," Nerdwallet explained.
"Answering 'none of the above' to the security questions — even if some of the proffered answers were correct — gave access to that person’s PIN."
Armed with that PIN, the attacker would then be able to break the credit freeze and apply to open new accounts in the victim's name. This is particularly bad in the case of Experian, as one of the main reasons for setting up a credit freeze is to mitigate the leak of precisely the private information – social security number, and date of birth – used to retrieve the PIN.
In other words, if your personal info was leaked online by another site or service, and you set up a credit freeze to stop it being exploited, that same publicly available data could have been used to undo the freeze anyway.
Experian said its customers were never in any danger of having their personal information stolen via the PIN hack. Below is the company's statement to The Register in full today:
There is not and never was a risk to consumer credit data, personal information or the security of our systems. A credit freeze PIN does not enable access to a credit file or consumer PII. Experian deploys multiple layers of security, many of those not visible to consumers. While we are confident that our authentication is secure, we have taken additional steps to make the process even more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.
Though there is no indication that the flaw was ever actively abused, the findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches, including one at Experian in 2015 that involved the records of 15 million T-Mobile US customers. ®