In the summer of 2022, KrebsOnSecurity documented the plight of many readers who had their accounts with the big-three consumer credit reporting bureaus Experian hijacked after the thieves re-registered the accounts using a different email address. Sixteen months later, it is clear that Experian has not addressed this gaping lack of security. I know that because my Experian account was recently hacked, and the only way I can get access is to recreate the account.
I recently ordered a copy of my credit file from Experian through annualcreditreport.com, but as usual Experian refused to provide it, saying they could not verify my identity. Attempts to log into my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.
A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed parts of an email address that I did not authorize and was anonymous (the full address was -redacted by Experian).
I immediately suspect that Experian is still allowing anyone to recreate their credit file account with the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Something to Explain to Do. So once again I intend to re-register as myself with Experian.
The homepage says I need to provide a Social Security number and mobile phone number, and soon I receive a link that I need to click to verify myself. The site claims that the phone number you provide can be used to help validate your identity. But it appears that you can provide any phone number in the United States at this stage of the process, and the Experian website will not refuse. However, users can skip this step by selecting the “Continue another way” option.
Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three and five multiple-choice security questions whose answers are often based on public records. When I recreated my account this week, only two of the five questions related to my real information, and two of those questions were about street addresses where we used to live — information that was far just a Google search.
Assuming you’re navigating multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you are directed to the Experian dashboard, which allows you to view your entire credit file, and freeze or unfreeze it.
At this point, Experian will send a message to the old email address associated with the account, saying that some aspects of the user’s profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the user’s account data has changed, and the original user is offered zero recourse here except for a click of a link to log in to Experian.com.
And of course, a user who receives one of these notifications will find that their Experian account credentials no longer work. Neither is their PIN or account recovery question, because that has been changed as well. Your only option at this point is to recreate your Experian account and steal it from ID thieves!
Conversely, if you try to change an existing account with either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.
Reached for comment, Experian declined to share the full email address that was added without my permission to my credit file.
“To ensure the protection of consumers’ identities and information, we implement a multi-layered security approach, which includes passive and active measures, and is constantly evolving,” an Experian spokesperson said. Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device ownership and ownership verification processes.”
Anderson said all consumers have the option to activate a multi-factor authentication method that is requested every time they log into their account. But what good is multi-factor authentication if someone can recreate your account with a new phone number and email address?
Many readers have seen my rant about Experian at Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee a reader from Michican who works in the biotechnology industry. @Jackerbee said when Experian prompted for his phone number and the last four digits of his SSN, he selected the option to “enter my information manually.”
“I put in my second phone number and a new email address,” he explained. “I received an email in the inbox of my original account saying they updated my information after I ‘signed up.’ No verification is required from the original email address at any point. I also did not receive any text alerts on the original phone number. The really interesting and scary part is that when I sign in, it’s 2FA with a new phone number.
The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by providing a random landline number.
“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before declaring, ‘Welcome back, Pete!,’ and giving a full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; can also create a new account each time.
I’m lucky because whoever hijacked my account didn’t melt my credit freeze either. Or if they do, they politely freeze it again when they’re done. But I fully expect my Experian account to be hijacked again unless Experian makes significant changes to its authentication process.
It boggles the mind that these basic authentication weaknesses have been allowed to persist for so long at Experian, which has a terrible track record in this regard.
In December 2022, KrebsOnSecurity alerted Experian that identity thieves had developed a simple way to bypass its security and access. whatever full consumer credit report — armed with nothing but a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and admitted it had been going on for about seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN capture page to unfreeze consumers’ credit files. In those cases, Experian failed to send any notification by email when a freeze PIN was obtained, nor did it require the PIN to be sent to an email address already linked to the consumer’s account.
A few days after the April 2021 story, KrebsOnSecurity broke the news that an Experian API had exposed the credit scores of most Americans.
More top hits from Experian:
2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hits Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sells Consumer Data to ID Theft Service