Experian’s API was found to be exploitable, allowing anyone with a name and an email address to look up credit scores.
The firm has fixed the leaky endpoint, but numerous other websites using the API could still be vulnerable.
Experian has released a statement claiming that the problem has been addressed, not realizing the scope.
Experian’s API was found to be carrying a flaw that could let anyone look up the credit score of tens of millions of Americans, using only their name and email address. The flaw has been fixed now on the particular website where it was first exploited. Still, the researcher who discovered this, Bill Demirkapi, believes that there are similar data access points on several websites that work with the credit bureau.
These sites offer loan services, so they feature an eligibility evaluator for the visitor to determine if they can benefit or not. All of them are connected with the credit bureau, which is the official credit reference and consumer reporting agency in the United States. In several cases, the APIs used on these platforms are letting anyone draw sensitive information from the bureau, using only publicly available information.
The researcher has even created a credit score lookup tool to automate the API exploit process for demonstration (not for real scraping operations). Brian Krebs, who received reports about the issue, has tested the flaw himself and confirmed that the Experian API returned “risk factors” and other credit-related indicators for any consumer. To clarify, Experian’s API is used in several websites that use the company’s system, so this is a problem affecting the entire network of the firm’s partners.
Experian immediately launched an internal investigation and found out the lender who was exposing the credit scores, disabling API access immediately. However, this only dealt with a single endpoint, so every other similarly problematic implementation out there remains leaky. Experian stated the following after remediating that one instance, indicating a failure in realizing the scope of the problem:
We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter. While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.
Experian is a consumer data aggregation and reporting giant, holding information about over a billion people and businesses in its database. The firm often appears in data breach news, as it’s a standard choice for credit monitoring and freezing, helping protect exposed individuals from identity theft and bank fraud actors. In this case, the firm that is fulfilling the consumer protection role has created the exposure.