Jul 18, 2022

Experian Fails on Security: Now Hackers Can Change Your Email Address

Experian Fails on Security: Now Hackers Can Change Your Email Address

Recent complaints have alluded that credit bureau Experian’s weak website security has left some customers unable to access their accounts, which have allegedly been hijacked by hackers. The company denies that their negligence was the cause of these incidents, while victims say more could have been done to prevent it.

Credit is part of your financial power. It helps you get the things you need now, like a loan for a car or a credit card, based on your reliable promise to pay later. Maintaining a high credit score enables you to qualify for loans and other financial services when you need them.

Credit service providers such as big-three credit bureau Experian are designed in theory to assist customers with managing their credit scores and to monitor potential acts of fraud—not to be the actual means by which scammers commit fraud!

However, multiple Experian customers have publicly complained that the credit bureau’s lackluster security allows intruders to access their accounts, lock the true account owners out, and access their sensitive data and private information.

According to KrebsOnSecurity, numerous Experian Users had their accounts hacked and updated with a new email address that wasn’t theirs. In specific noted cases, the account holders had used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.

These same users commented that Experian does not require a two-factor authentication process to sign in, meaning that if hackers can find a single way in, there will be no other roadblocks along the way to access users’ private and sensitive information. In these cases, scammers used people’s stolen information to make an account, and instead of Experian rejecting the application because that personal information is already attached to an existing account, Experian’s site allowed them to make changes to the account.

Once users discovered their account had been compromised, they soon found out they were unable to log in and check on the situation, as their login credentials had been changed. When they attempted to receive an email to change their login info, the “forgot my password” email was sent to a different account than theirs. 

To make matters worse, victims of the scam have reported to have been unable to get Experian to help and were instead forced to try numerous exhaustive methods to regain access to their hijacked accounts.

A Security Vulnerability Exclusive to Experian

Investigative research has provided evidence that this security issue is only a concern with Experian. When the exact same method—to try and take over someone else’s account by using their personal information—was attempted on Experian’s competitor sites, such as Equifax or TransUnion, the other websites all denied access to all attempts, claiming that the information provided was already attached to an existing account.

What Does Experian Have to Say About Their Security Issues?

In a written statement, Experian suggested that what happened to some users was not a normal occurrence and that its security and identity verification practices extend beyond what is visible to the user.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

What to Do if You’re a Victim of an Experian Hack

Your credit and your identity are extremely important; that’s why you signed up for Experian’s services in the first place. The very service providers that you trusted to manage these sensitive matters are leaving the back door wide open for intruders and imposters.

If you or someone you know experienced a security breach with an Experian account, don’t hesitate to reach out to America’s largest law firm, Morgan & Morgan. Contact us today to receive a free, no-obligation case evaluation to learn more about your options and next steps. You don’t have to handle this problem alone—we’re here to help.