Bad News for Tens of Millions Americas: Experian API Exposed Your Credit Scores

Updated: Apr 30

Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.


Cyber experts had a lot to say about yet another API issue that lead to a sensitive data leak.


Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security:

"This is a wake-up call for Experian. APIs are the lingua-franca for business integrations and a flaw in APIs is lethal.

This yet again demonstrates that while the use-cases have to be designed for the end user, the abuse cases have to be designed for the super-users (benign or adversarial). If you look at the flaw, it was a basic authentication flaw – something that should have been contemplated during the design phase of the software. What is worse here is that there are API Management solutions that allow organizations to compensate for missing authentication in the APIs they want to make public.

When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications. If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner. Similar to how we view the spreading virus, it is possible to unintentionally infect your friend or your organizational partner if you do not take the necessary precautionary steps of testing and protecting your applications. Prioritize the requirement for application security assessment with your partners when you are executing on your growth strategy with them.

WhiteHat recommends that customers scan their public facing APIs in production in a continuous manner. In addition, API discovery is a challenge that customers need to address and WhiteHat can help with that."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:

"The prominence of cloud-based services and technologies has created a massive ecosystem of interconnected services that help organizations of all types boost their business internally for employees and externally for customers. Integration between various apps and services can make the overall experience much more convenient and seamless for users. APIs, especially for large platforms like airlines or social media, are oftentimes made public so anyone can connect their service to those platforms. However, the convenience of integration shouldn’t put security on the back burner.

This incident highlights how important it is to understand the security posture of all your resources. In this particular case, that means vetting any third party service you decide to integrate into your services or infrastructure. When you integrate your services, there’s always the risk of an attacker getting to your data after initially breaching the partner service.

Integrations aren’t the only thing that can expand the reach of your data. As your cloud infrastructure expands, sensitive data ends up in various storage systems that don’t necessarily have strong native security configurations. In order to make sure your data isn’t leaking out of unsecured storage systems, you need to have visibility into your overall cloud service security posture.

You need to understand who has access to what sensitive data - especially as the digital world continues to get more widely distributed. This mindset should apply to the people, devices, and external services that could access data and present a possible security risk if they’re compromised."

Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider:

"This isn’t unique to Experian. Many websites being launched for vaccine management and other public health services seem to struggle with the same issues. Making systems accessible to the broader public using private data often has security tradeoffs and consequences. Stronger authentication and verification processes are required along with access controls and sane anti-automation defenses, in order to prevent these attacks."

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:

"As a good practice, web application penetration testing should happen during the testing and development stages of application development. Developers should also use secure coding principles and work closely with testers to ensure the application itself and information within stays secure. Testing should also continue regularly as part of a product lifecycle, especially as new changes are rolled out to production, to ensure that the application continues to deliver the intended results while also protecting sensitive information."


Michael Isbitski, Technical Evangelist at Salt Security:

"The leaky API was stood up by Experian so that lending partners could verify credit worthiness of an individual and potential credit applicant. The data returned by the API included the person’s FICO score and impacting risk factors on credit worthiness such as high credit utilization or too many open revolving accounts.

It's not clear if this weakness was exploited by other attackers beyond the security researcher's probing and disclosure. Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them. An API that uses weak authentication like this could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.

From the perspective of the consumer, a credit freeze is always a good idea to protect themselves from identity and credit fraud. If an individual had a credit freeze in place, Experian’s API returned no data for that person."


###