A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections.
Experian downplayed concerns from the security community that the issue could be systemic.
The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi is a sophomore at Rochester Institute of Technology and was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.
Demirkapi was surprised and decided to take a peek at the code which showed that an connection to an Experian API was behind the tool, he said.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”
It should be noted that colossal security failures aren’t unknown for Experian, which in 2015 exposed 15 million T-Mobile customers’ data, including driver’s license and passport numbers.
Full article on https://threatpost.com/experian-api-leaks-american-credit-scores/165731/?
#experian #dataleak #api #credit #scores #yokdata #blog