Credit Scores of Many Americans Leaked to Public After API Security Issue

Experian, a credit agency, is now dealing with a new app programming interface (API) privacy loophole that seems to have exposed virtually every American’s credit scores.

According to a report, almost every American’s credit score was leaked due to an API platform used by the Experian placed accessible on a lender’s website without even standard security measures. The Experian Connect API is a tool that assists lenders in making FICO score questions easier to understand.

A sophomore at Rochester Institute of Technology discovered the data breach when attempting to shop for student loans. According to a published article, Bill Demirkapi discovered that a lender verified his qualifications using only basic information, such as name, address, and birthdate.

Credit Scores of Many Americans Leaked to Public

In an interview with KrebsOnSecurity, Demirkapi said, “No one should be able to perform an Experian credit check with only publicly available information.”

“Experian should mandate non-public information for promotional inquiries; otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system,” he added.

Demirkapi discovered that the Experian API can be reached without verification and that encoding zeros in the birthdate field enabled him to extract someone’s fico score. He also created a command-line interface, called “Bill’s Cool Credit Score Lookup Utility,” to simplify the optimizations.

As a response, Experian released a statement saying, “We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter. While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

While Experian has already stated that the exposed interface incident has been addressed, some researchers remain worried that other compromised Experian APIs may still be out, waiting to be abused by attackers.

The 2017 Equifax privacy breach set a high bar for cybercriminals pursuing such information. The said circumstance enabled Chinese hackers to break into Experian’s competitor and robbed the financial records of more than 143 million Americans.

As the data breach spread, many experts, such as Setu Kulkarni. Kulkarni is the WhiteHat Security’s Strategy and Vice President. He stated that “If you look at the flaw, it was a basic authentication flaw – something that should have been contemplated during the design phase of the software.”

“What is worse here is that there are API Management solutions that allow organizations to compensate for missing authentication in the APIs they want to make public. When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications.” he also explained.