Experian account hijacking; major security risk? seems so

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
MarkVH0518
Posts: 241
Joined: Tue Dec 13, 2016 1:14 pm

Experian account hijacking; major security risk? seems so

Post by MarkVH0518 »

Dear Bogleheads

KrebsOnSecurity is reporting, what appears to me, a significant security risk.
I'll call it Experian account hijacking.

https://krebsonsecurity.com/2022/07/exp ... more-60259

The gist is that an identify thief creates an entirely new account using your
identifying information: name, SSN, birth date, etc
Experian just replaces your existing account with the newly supplied email address and PIN.
Apparently no questions asked. It appears you receive an email change notice, but nothing else.
And your account is no longer under your control.

Credit freeze has no impact.
Caveat emptor!

Regards,
Mark
The advantage of Get Rich Slow is that you actually Get Rich.
User avatar
mister_sparkle
Posts: 339
Joined: Wed Dec 11, 2013 4:58 pm
Location: North Carolina

Re: Experian account hijacking; major security risk? seems so

Post by mister_sparkle »

This just happened to me; e-mail from Experian noting my new e-mail address when I haven't contacted them. Clicking on the forgot username link shows that it goes to a Hotmail account belonging to someone else. I've e-mailed Experian to get them to reverse this, but wondering if there's anything else I should be doing.

Very annoying!
User avatar
Cheez-It Guy
Posts: 4007
Joined: Sun Mar 03, 2019 3:20 pm

Re: Experian account hijacking; major security risk? seems so

Post by Cheez-It Guy »

I have resisted creating an Experian account up to now because until recently they still allowed credit freeze management using the PIN established following the Equifax breach and efforts undertaken to lock things down. That is, no login was required, and I'm not excited to have a proliferation of accounts and also give more bureaus contact information for unwanted marketing purposes. However, it seems like it might be time to re-think this. Would the same scam be possible or even more effective in the absence of an initial account?
Topic Author
MarkVH0518
Posts: 241
Joined: Tue Dec 13, 2016 1:14 pm

Re: Experian account hijacking; major security risk? seems so

Post by MarkVH0518 »

mister_sparkle wrote: Sat Nov 05, 2022 3:18 pm but wondering if there's anything else I should be doing.
I'd certainly have a credit freeze on the other credit checking firms.
You may want to be monitoring your credit reports more often than usual.
I don't know if there are any credit cards that only pull from experian; maybe you can google
the credit card bonus web sites to look for any that are experian only.

I wonder if you could just 'hijack' the your experian account right back using the same technique?
Might be worth a try given that you are in the situation.

Please report back if this seems to have an effect.
Good luck
Mark
The advantage of Get Rich Slow is that you actually Get Rich.
User avatar
mister_sparkle
Posts: 339
Joined: Wed Dec 11, 2013 4:58 pm
Location: North Carolina

Re: Experian account hijacking; major security risk? seems so

Post by mister_sparkle »

I ended up jumping through the hoops that Experian provided (faxing them various documents including my SS card...ridiculous) and they will delete the account and allow me to create a new one. Just a terrible way of doing business IMO.
JBTX
Posts: 11227
Joined: Wed Jul 26, 2017 12:46 pm

Re: Experian account hijacking; major security risk? seems so

Post by JBTX »

Cheez-It Guy wrote: Sat Nov 05, 2022 3:22 pm I have resisted creating an Experian account up to now because until recently they still allowed credit freeze management using the PIN established following the Equifax breach and efforts undertaken to lock things down. That is, no login was required, and I'm not excited to have a proliferation of accounts and also give more bureaus contact information for unwanted marketing purposes. However, it seems like it might be time to re-think this. Would the same scam be possible or even more effective in the absence of an initial account?
The scam is by setting up a new account for you with personal information they have on you. They can do this whether or not you have an account or not. At least if you already have an account set up you should get a notification that your account changed.
User avatar
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Experian account hijacking; major security risk? seems so

Post by TheTimeLord »

mister_sparkle wrote: Sat Nov 05, 2022 3:18 pm This just happened to me; e-mail from Experian noting my new e-mail address when I haven't contacted them. Clicking on the forgot username link shows that it goes to a Hotmail account belonging to someone else. I've e-mailed Experian to get them to reverse this, but wondering if there's anything else I should be doing.

Very annoying!
Why would they send you an email about the change unless it was to confirm you made the change? Seems like they should have provided some way of you indicating you didn't make the change.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Experian account hijacking; major security risk? seems so

Post by TheTimeLord »

MarkVH0518 wrote: Mon Jul 11, 2022 1:55 pm Dear Bogleheads

KrebsOnSecurity is reporting, what appears to me, a significant security risk.
I'll call it Experian account hijacking.

https://krebsonsecurity.com/2022/07/exp ... more-60259

The gist is that an identify thief creates an entirely new account using your
identifying information: name, SSN, birth date, etc
Experian just replaces your existing account with the newly supplied email address and PIN.
Apparently no questions asked. It appears you receive an email change notice, but nothing else.
And your account is no longer under your control.

Credit freeze has no impact.
Caveat emptor!

Regards,
Mark
https://krebsonsecurity.com/2022/08/cla ... -security/
A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
buyholdforever
Posts: 69
Joined: Wed Dec 09, 2015 3:43 pm

Re: Experian account hijacking; major security risk? seems so

Post by buyholdforever »

I have an Experian account for my own email address and my own info. But then there is also a second Experian account for some person with a different name tied to my email address, and I get alerts for them and myself. Fun!

So it appears multiple people can set up Experian accounts with your email address and I can't figure out what to do to solve the issue.
Post Reply