Equifax Website Hack Exposes Data On 143 Million US Consumers

Equifax Website Hack Exposes Data On 143 Million US Consumers

EnlargeMichael Theis reader comments 138 Share this story Equifax, a provider of consumer credit reports, said it expe

Microsoft Plugs Three Zero Day Holes as Part of May Patch Tuesday
USB Sticks Can Trigger BSOD – Even on a Locked Device
Insecure Backend Databases Blamed for Leaking 43TB of App Data

said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.

This isn’t the first time a garden-variety website flaw has been exploited to obtain a massive amount of sensitive data. Associates of Albert Gonzalez, a convicted hacker who was sentenced to 11 years in federal prison, exploited a SQL-injection flaw that helped them obtain data for 130 million credit cards. On Wednesday, exploit code for a nine-year-old code-execution vulnerability in Apache Struts 2—a software framework used by many large financial service websites—went public, but there was no immediate indication that the Equifax site uses it.

This isn’t the first time Equifax has been involved in a breach that exposed sensitive consumer data. In 2013, the company confirmed that the personal details for famous people—including US Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were exposed on annualcreditreport.com, a site that allows consumers to monitor their credit reports. Lax security on the site allowed people to gain unauthorized access to other people’s reports by supplying their previous addresses, mortgages, outstanding loans, and other details that are often widely known.

People who want to know if their data was exposed can enter their last name and the last six digits of their Social Security number on this page. Unfortunately, the responses to those queries are extremely opaque. Another major shortcoming: the site is hosted on a third-party domain that’s protected by a TLS certificate that returns wasn’t being properly checked for revocation at the time this post was being written. On Thursday, Equifax offered to provide free credit monitoring for people affected by the latest breach.

Go to Source