Skip to main content

A Boston news station recently interviewed a local man who had his Experian account hijacked after he'd frozen his credit with the big three consumer reporting bureaus. It's unbelievable that Experian still hasn't done jack about this problem that I've written about ad nauseum for years now. (try to ignore the many typos and grammar errors in this story).

https://www.boston25news.com/news/local/25-investigates-sutton-man-turned-credit-bureau-credit-protection-it-led-identity-theft/4LQOGEXFTBE5DJUIROK23E32IU/

Experian's system will allow anyone to assume control over your credit file and freeze merely by re-registering as you using your name, SSN, DoB but a different email address than the one on file. Experian has no problem approving that request, and instead of seeking approval from the existing email address and or phone number, they just say okay. Thieves can then unlock your credit, pull your file, apply for credit, etc. But they will send an automated email to the legitimate account holder's email, saying the account's email address has been changed. No "this wasn't me" option, no asking for approval. Nope. They just say hi we changed your email. Have a nice day!

Experian's response to the Boston news outlet is particularly infuriating, because they're basically saying the system operated as designed. Nevermind that the system is batshit crazy from a security in 2025 perspective.

"A spokesperson told us their protocols worked since Deyoe got that notification when his account was changed. In a written statement Experian said “Protecting consumers’ identities is among our highest priorities. We believe this is an incident of fraud using stolen consumer information.”

Past coverage of this:

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/


Experian, You Have Some Explaining to Do

Twice in the past month KrebsOnSecurity has heard from readers who've had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn't theirs. In both cases the readers used password managers to select…
krebsonsecurity.com
This entry was edited (2 months ago)
in reply to BrianKrebs

Nick Danger
Nick Danger
"they're basically saying the system operated as designed" is such a bunch of weasel words.
in reply to BrianKrebs

Chewie
Chewie
Just in case you are not part of the "land of the free", I requested it to be archived here: https://web.archive.org/web/20250205184331/https://www.boston25news.com/news/local/25-investigates-sutton-man-turned-credit-bureau-credit-protection-it-led-identity-theft/4LQOGEXFTBE5DJUIROK23E32IU/

25 Investigates: Sutton man turned to credit bureau for credit protection, it led to identity theft

A Sutton man called 25 Investigates saying he took the right steps after learning he was a victim of identity fraud. But he says doing the right thing made led to an even bigger headache.
Kerry Kavanaugh (Boston 25 News)
in reply to BrianKrebs

Fi 🏳️‍⚧️
Fi 🏳️‍⚧️

Given how all that information - name, DOB, SSN, etc. - is now presumed "in the wild" due to the massive ongoing breach of federal systems,

I would dearly like to see a class action suit start against Experian for those of us who are suffering the consequences of their negligence in system design and non-conformance with extant industry standards for IAM.

in reply to BrianKrebs

Rupert
Rupert
I get HTTP 451 - Unavailable for legal reasons.
in reply to BrianKrebs

Jim Luther
Jim Luther
there are zero comments on that story at boston25nrws site. Maybe you should comment with your past coverage?
in reply to BrianKrebs

BrianKrebs
BrianKrebs
What's even more crazy is when you call Experian (assuming you somehow manage to get someone on the phone) and tell them someone hijacked your account, they will walk you through how to do what the thieves did you, so that you can regain access to your account. You know what their response is to people who have this happen to them multiple times? Naturally, they push you to paying them for more security, for basic stuff that should be available to everyone.
in reply to BrianKrebs

Dan Hugo (แดน)
Dan Hugo (แดน)

It´s the 21st century (in some places), why are we (in the US anyway) tied to the ol´ SSN, never intended for any of this, which cannot (per policy) be changed 99.9% of the time?

Report your credit card compromised/lost/stolen and you have a new one in a week.

Though, I suppose now we can just tweet Elon and have his interns make those changes…

in reply to BrianKrebs

Jeff Atwood
Jeff Atwood
this is why I've been low-key red teaming myself from birth. It's a mindset: https://blog.codinghorror.com/designing-for-evil/

Designing For Evil

Have you ever used Craigslist [http://en.wikipedia.org/wiki/Craigslist]? It's an almost entirely free, mostly anonymous classified advertising [http://en.wikipedia.
Jeff Atwood (Coding Horror)
in reply to BrianKrebs

Zippoman924
Zippoman924
That's crazy, I don't understand how anyone over there can look at this and think that it's okay. It simultaneously does and doesn't shock me at all.
in reply to BrianKrebs

Mathaetaes
Mathaetaes
Not that I'm advocating committing computer crimes against political officials, but if someone happened to get the info of a handful of senators and took over their Experian accounts, I'm sure it would force some movement.
in reply to BrianKrebs

Jeff Atwood
Jeff Atwood
"Thieves can then unlock your credit, pull your file, apply for credit, etc. But they will send an automated email to the legitimate account holder's email, saying the account's email address has been changed. No "this wasn't me" option, no asking for approval. Nope. They just say hi we changed your email. Have a nice day!" The answer is snail mail. I've had this happen to me, and that's how I know. The banks will send you physical mail that you have to receive and acknowledge before they will proceed. It is a form of two-factor (twenty factor?) auth
in reply to BrianKrebs

Phil Stevens :tinoflag:
Phil Stevens :tinoflag:
Experian is a poster child for bringing back the corporate death penalty. End them.
in reply to BrianKrebs

hallunke23 🇺🇦
hallunke23 🇺🇦
Link to Boston 25 is broken. I'm just getting a 451 error.
in reply to BrianKrebs

Petesmom
Petesmom
So, sounds like the business model is “if you dont want your information hijacked you need to pay us ransom in advance?”
#Experian
#CreditReport
#Ransomware ?
#ransomware #experian #creditreport
in reply to BrianKrebs

SpaceLifeForm
SpaceLifeForm

I notice that the preview is blocked for my instance.

Not that I need to go there anyway, because I know the story. The credit reporting agencies are all a scam to collect updated PII from people that get magically get awarded 2 free years of credit monitoring via some class action lawsuit you were not aware of in the first place.

If you get an offer for this free credit monitoring, throw it in the trash.

It is not free. They will sell your PII.

#infosec

#infosec
in reply to BrianKrebs

h4nd / UntouchedCupOfTea
h4nd / UntouchedCupOfTea
that's Amazing. I should totally do that 10 times a day to Brian Cassin
in reply to BrianKrebs

Axel Hartmann
Axel Hartmann
- interesting that a news outlet choses to restrict access to clients from within the US.
This entry was edited (2 months ago)
in reply to BrianKrebs

Louise Auerhahn 🏳️‍🌈
Louise Auerhahn 🏳️‍🌈
Experian is utterly incompetent. They refused for months to allow me to freeze my credit. I froze it with the other two credit bureaus, no problem. Experian's website just gave me an error message and a number to call. The number is entirely automated and the only message you can get to regarding issues with credit freezes directs you to... visit the website!
I filed a complaint against them with the CFPB last December, but with Elon Musk and his frat boys running amuk with our public dollars and data, that likely isn't going anywhere.
in reply to BrianKrebs

Cat West
Cat West
If the system is “working as designed” it is working to rob the client of their identity and their money.