Experian API Exposed Credit Scores of Most Americans

2021-04-28 20:47

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned.

Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API - a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "Date of birth" field let him then pull a person's credit score.

In addition to credit scores, the Experian API returns for each consumer up to four "Risk factors," indicators that might help explain why a person's score is not higher.

The reason I could not test Demirkapi's findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus, and a freeze blocks this particular API from pulling the information.

Demirkapi declined to share with Experian the name of the lender or the website where the API was exposed.

News URL

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

#american #API