2 min

Tags in this article

, ,

The fault has leaked the credit scores of almost every US citizen

Experian, the major credit reporting company, has suffered a new data breach. The company’s breach has exposed the credit scores of almost every person in the U.S. The source of the breach was an unprotected application programming interface (API).

Security researcher Bill Demirkapi discovered and publicized the breach on April 28. He said it involved a tool called the Experian Connect API . This is a software interface that allows lenders to automate FICO-score queries. Demirkapi, who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online. On one website, he found that the code allowed him to invoke the Experian API and pull up any person’s credit score.

The leaky API reveals more than just credit scores

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”

Demirkapi found he could access the Experian API directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Experian has since shut down unauthorized access to the API. However the concern is that malefactors could penetrate other APIs that the company is using. Whether others had already accessed the Connect API like Demirkapi is unknown.

Experian last suffered a data breach with the theft of data belonging to 15 million Americans in October 2015.