Experian API Exposed Millions of American’s Credit Scores

TechAristocrat Newsroom
Stafford / United Kingdom - September 27 2020: Experian Credit Score report seen in the smartphone screen with the highest possible number. Real photo.
API mistake allowed users to look up practically anyone.

Credit bureau Experian has only just fixed a weakness with a partner site that allowed anyone to search through tens of millions of records with a name and mailing address. Experian says the leak has been plugged, but the researcher who first reported the leak says the flaw could still be present in other websites connected to Experian. 


Independent security researcher Bill Demirkapi, a sophomore at the Rochester Institute of Technology, said he found the exposure while searching for a student loan vendor. 


Demirkapi found a website offering to check his eligibility if he entered his name, address, and date of birth. After looking at the code, Demirkapi found it used an Experian API (Application Programming Interface) that allowed websites to query the service for FICO credit scores automatically. 


“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”


Demirkapi found the API could be accessed without authentication. Filling the “date of birth” field with all zeros allowed him to pull up a credit score. He even created a command-line tool he called “Bill’s Cool Credit Score Lookup Utility” that used the exploit. The Experian API also pulls up risk factors for a consumer, indicators that suggest why a credit score isn’t higher. 


Demirkapi didn’t disclose the lender or website that exposed the API. He said he refused because he suspects there are hundreds, if not thousands, of companies using the API. These websites could also be exposing the API and leaking access to Experian’s databases. 


“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. For their part, Experian explained how they corrected the issue. 


“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Police cars at night. Police car chasing a car at night with fog background. 911 Emergency response police car speeding to scene of crime. Selective focus

Hackers Threaten to Expose Police Informants

Next Post
ROSTOV-ON-DON / RUSSIA - March 28 2020: Apple Music logo on the smartphone screen, with airpods

EU Charges Apple with Breach of Competition Law

Related Posts