Experts have found that the website of consumer credit reporting company Experian included a severe privacy flaw that enabled hackers to get client credit reports with nothing more than some identifying data and a little modification to the address shown in the URL bar.

After seeing hackers sell stolen reports, cybersecurity researcher Jenya Kushnir uncovered the issue in Telegram and collaborated with KrebsOnSecurity to examine it.

The basic concept was to use the victim’s personal information (name, address, birthdate, and Social Security number) to apply for a free credit report on one of several available websites. This information may be gained from a prior incident. When you click that link, you’ll be sent to Experian, where you’ll be asked to fill out a more in-depth profile, including details about your past residences.

Cracking Experian

Furthermore, the vulnerability may be accessed at this point. You may skip answering those questions by switching the URL in your browser’s address bar from “/acr/oow/” to “/acr/report” and then clicking the “Go” button.

For example, when Krebs tested the idea, he discovered that modifying the address resulted in a reroute to “/acr/OcwError,” but that retrying the modification resulted in the Experian’s website “then promptly revealed my whole credit information,” the document says.

If there is any good news to be had, it is that Experian’s reports are rife with errors. Krebs’s database had a large number of phone numbers, but the author used just one of them at one point.

Experian has not commented, but the issue seems to have been resolved. We have no idea how long the vulnerability existed on the site or how many false complaints were filed.