Experian account hijacking; major security risk? seems so
-
- Posts: 241
- Joined: Tue Dec 13, 2016 1:14 pm
Experian account hijacking; major security risk? seems so
Dear Bogleheads
KrebsOnSecurity is reporting, what appears to me, a significant security risk.
I'll call it Experian account hijacking.
https://krebsonsecurity.com/2022/07/exp ... more-60259
The gist is that an identify thief creates an entirely new account using your
identifying information: name, SSN, birth date, etc
Experian just replaces your existing account with the newly supplied email address and PIN.
Apparently no questions asked. It appears you receive an email change notice, but nothing else.
And your account is no longer under your control.
Credit freeze has no impact.
Caveat emptor!
Regards,
Mark
KrebsOnSecurity is reporting, what appears to me, a significant security risk.
I'll call it Experian account hijacking.
https://krebsonsecurity.com/2022/07/exp ... more-60259
The gist is that an identify thief creates an entirely new account using your
identifying information: name, SSN, birth date, etc
Experian just replaces your existing account with the newly supplied email address and PIN.
Apparently no questions asked. It appears you receive an email change notice, but nothing else.
And your account is no longer under your control.
Credit freeze has no impact.
Caveat emptor!
Regards,
Mark
The advantage of Get Rich Slow is that you actually Get Rich.
- mister_sparkle
- Posts: 339
- Joined: Wed Dec 11, 2013 4:58 pm
- Location: North Carolina
Re: Experian account hijacking; major security risk? seems so
This just happened to me; e-mail from Experian noting my new e-mail address when I haven't contacted them. Clicking on the forgot username link shows that it goes to a Hotmail account belonging to someone else. I've e-mailed Experian to get them to reverse this, but wondering if there's anything else I should be doing.
Very annoying!
Very annoying!
- Cheez-It Guy
- Posts: 4007
- Joined: Sun Mar 03, 2019 3:20 pm
Re: Experian account hijacking; major security risk? seems so
I have resisted creating an Experian account up to now because until recently they still allowed credit freeze management using the PIN established following the Equifax breach and efforts undertaken to lock things down. That is, no login was required, and I'm not excited to have a proliferation of accounts and also give more bureaus contact information for unwanted marketing purposes. However, it seems like it might be time to re-think this. Would the same scam be possible or even more effective in the absence of an initial account?
-
- Posts: 241
- Joined: Tue Dec 13, 2016 1:14 pm
Re: Experian account hijacking; major security risk? seems so
I'd certainly have a credit freeze on the other credit checking firms.mister_sparkle wrote: ↑Sat Nov 05, 2022 3:18 pm but wondering if there's anything else I should be doing.
You may want to be monitoring your credit reports more often than usual.
I don't know if there are any credit cards that only pull from experian; maybe you can google
the credit card bonus web sites to look for any that are experian only.
I wonder if you could just 'hijack' the your experian account right back using the same technique?
Might be worth a try given that you are in the situation.
Please report back if this seems to have an effect.
Good luck
Mark
The advantage of Get Rich Slow is that you actually Get Rich.
- mister_sparkle
- Posts: 339
- Joined: Wed Dec 11, 2013 4:58 pm
- Location: North Carolina
Re: Experian account hijacking; major security risk? seems so
I ended up jumping through the hoops that Experian provided (faxing them various documents including my SS card...ridiculous) and they will delete the account and allow me to create a new one. Just a terrible way of doing business IMO.
Re: Experian account hijacking; major security risk? seems so
The scam is by setting up a new account for you with personal information they have on you. They can do this whether or not you have an account or not. At least if you already have an account set up you should get a notification that your account changed.Cheez-It Guy wrote: ↑Sat Nov 05, 2022 3:22 pm I have resisted creating an Experian account up to now because until recently they still allowed credit freeze management using the PIN established following the Equifax breach and efforts undertaken to lock things down. That is, no login was required, and I'm not excited to have a proliferation of accounts and also give more bureaus contact information for unwanted marketing purposes. However, it seems like it might be time to re-think this. Would the same scam be possible or even more effective in the absence of an initial account?
- TheTimeLord
- Posts: 12130
- Joined: Fri Jul 26, 2013 2:05 pm
Re: Experian account hijacking; major security risk? seems so
Why would they send you an email about the change unless it was to confirm you made the change? Seems like they should have provided some way of you indicating you didn't make the change.mister_sparkle wrote: ↑Sat Nov 05, 2022 3:18 pm This just happened to me; e-mail from Experian noting my new e-mail address when I haven't contacted them. Clicking on the forgot username link shows that it goes to a Hotmail account belonging to someone else. I've e-mailed Experian to get them to reverse this, but wondering if there's anything else I should be doing.
Very annoying!
IMHO, Investing should be about living the life you want, not avoiding the life you fear. |
Run, You Clever Boy! [9085]
- TheTimeLord
- Posts: 12130
- Joined: Fri Jul 26, 2013 2:05 pm
Re: Experian account hijacking; major security risk? seems so
https://krebsonsecurity.com/2022/08/cla ... -security/MarkVH0518 wrote: ↑Mon Jul 11, 2022 1:55 pm Dear Bogleheads
KrebsOnSecurity is reporting, what appears to me, a significant security risk.
I'll call it Experian account hijacking.
https://krebsonsecurity.com/2022/07/exp ... more-60259
The gist is that an identify thief creates an entirely new account using your
identifying information: name, SSN, birth date, etc
Experian just replaces your existing account with the newly supplied email address and PIN.
Apparently no questions asked. It appears you receive an email change notice, but nothing else.
And your account is no longer under your control.
Credit freeze has no impact.
Caveat emptor!
Regards,
Mark
A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. |
Run, You Clever Boy! [9085]
-
- Posts: 69
- Joined: Wed Dec 09, 2015 3:43 pm
Re: Experian account hijacking; major security risk? seems so
I have an Experian account for my own email address and my own info. But then there is also a second Experian account for some person with a different name tied to my email address, and I get alerts for them and myself. Fun!
So it appears multiple people can set up Experian accounts with your email address and I can't figure out what to do to solve the issue.
So it appears multiple people can set up Experian accounts with your email address and I can't figure out what to do to solve the issue.