Equifax Website Hack Exposes Data On 143 Million US Consumers

Equifax Website Hack Exposes Data On 143 Million US Consumers

EnlargeMichael Theis reader comments 138 Share this story Equifax, a provider of consumer credit reports, said it expe

Android App Are Sharing Screenshots, Video Recordings to Third Parties, Report Finds
F-35 Has Easy-To-Hack Combat Systems, Old Flaws, And Cost A Mint
VMware Patches Multiple Security Issues in Workstation

said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.

This isn’t the first time a garden-variety website flaw has been exploited to obtain a massive amount of sensitive data. Associates of Albert Gonzalez, a convicted hacker who was sentenced to 11 years in federal prison, exploited a SQL-injection flaw that helped them obtain data for 130 million credit cards. On Wednesday, exploit code for a nine-year-old code-execution vulnerability in Apache Struts 2—a software framework used by many large financial service websites—went public, but there was no immediate indication that the Equifax site uses it.

This isn’t the first time Equifax has been involved in a breach that exposed sensitive consumer data. In 2013, the company confirmed that the personal details for famous people—including US Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were exposed on annualcreditreport.com, a site that allows consumers to monitor their credit reports. Lax security on the site allowed people to gain unauthorized access to other people’s reports by supplying their previous addresses, mortgages, outstanding loans, and other details that are often widely known.

People who want to know if their data was exposed can enter their last name and the last six digits of their Social Security number on this page. Unfortunately, the responses to those queries are extremely opaque. Another major shortcoming: the site is hosted on a third-party domain that’s protected by a TLS certificate that returns wasn’t being properly checked for revocation at the time this post was being written. On Thursday, Equifax offered to provide free credit monitoring for people affected by the latest breach.

Go to Source