According to a researcher, almost every American’s credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender’s website without even basic security safeguards. Experian, for its part, dismissed security experts’ fears that the problem could be structural.
The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi said he was able to create a command-line tool called “Bill’s Cool Credit Score Lookup Utility” that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person’s credit background, in addition to raw credit scores. He ran a credit check for his buddy “Bill,” who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.
Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian’s customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”
