Experian API Leaks Most Americans’ Credit Scores

Researchers fear wider exposure, amidst a tepid response from Experian.

A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections.

Experian, for its part, refuted concerns from the security community that the issue could be systemic.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.

Demirkapi was surprised and decided to take a peek at the code, which showed that an connection to an Experian API was behind the tool, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”

Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”

In addition to raw credit scores, Krebs said that he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history. He ran a credit check for his friend “Bill” which returned the explanation for his mid-700s credit score that he had “Too many consumer-finance company accounts.”


Experian’s Leaky API Systemic?

Experian said it fixed the unprotected endpoint instance, but some researchers are concerned that other exposed Experian APIs might be out there, sitting unprotected, just waiting to be exploited by cybercriminals. There is a huge precedent for bad actors going after such data, in the 2017 breach of Equifax. In that instance, Chinese hackers stole financial details of 143 million Americans from the Experian rival.

However, an Experian spokesperson pushed back on the notion that there could be other insecure interfaces out there.

“We can confirm a single, isolated instance involving a client website,” she told Threatpost. “This situation did not implicate or compromise any of Experian’s systems, including our API. We were able to alert the client and resolve the matter.”

She added, “To reiterate, while this did not compromise any of Experian’s systems, we take this matter very seriously. In fact, we continually work with our clients to review their processes and ensure data security best practices.”

When Threatpost reached out for additional clarification, she responded that, “To be clear, this was isolated to a single client and a vulnerability with the client’s website.” She added, “We can confirm the security of our APIs. Upon identifying the source of the situation we shut down access to the client.  We are working with our clients to ensure security best practices, and continuing to vet all our partners and mandate robust security measures and controls to secure our data.”

Regardless, Demirkapi said wouldn’t give the name of the lender to protect what he characterized as the thousands of other APIs that are potentially still out there unsecured.

“They found one endpoint I was using and sent it into maintenance mode,” Demirkapi told Krebs. “But this doesn’t address the systemic issue at all.”

It should be noted that colossal security failures aren’t unknown for Experian, which in 2015 exposed 15 million T-Mobile customers’ data, including driver’s license and passport numbers.

Security Community Slams Experian

The security community isn’t holding back on its criticisms of Experian for the leaky API, which they said was concerning even if it was a single instance.

Saryu Nayyar, CEO at Gurucul was downright incredulous about the revelation.

“Shame on you Experian!” Nayyar said. “The credit-score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive — just the sort of data cybercriminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API?”

Tom Garruba, CISO for Shared Assessments, chalked it up to shoddy app development, and he added his own withering assessment of Experian’s software.

“If this isn’t an argument for more and better DevSecOps, then nothing is,” Garruba said. “The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle.”

APIs: A Growing Attack Vector

Garruba added APIs are an obvious attack vector which should have been secured.

“Insecure APIs are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data,” he added. “Such bad coding practices not only hurt everyone financially but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm.”

This should be a big, fat flashing warning to every other company out there to lock down their APIs yesterday, if not sooner, researchers added.

“APIs are the lingua-franca for business integrations and a flaw in APIs is lethal,” Setu Kulkarni, vice president with White Hat Security told Threatpost. “If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner.”

Indeed, Jack Mannino, CEO at nVisium, noted that this kind of issue isn’t unique to Experian.

“Many websites being launched for vaccine management and other public health services seem to struggle with the same issues,” he said. “Making systems accessible to the broader public using private data often has security tradeoffs and consequences. Stronger authentication and verification processes are required along with access controls and sane anti-automation defenses, in order to prevent these attacks.”

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.


Suggested articles


  • Efrain on

    I hurt that Experian and the other two are getting shut down for good from the government Wich is very good to hear that I can't wait to see it happening.
  • Chrisanthia Darby on

    Thank you for this information! I notice my credit score is so incorrect. II have paid a 2000 loan down to 800 and have 2 wrong information. removed and. no other credit put on my report and other credit reports that no longer should be showing up no where in my credit because of the past 7 and 10 yr. time line. Which have my credit score on credit karma 603 which is so incorrect, my credit score should be at 700 and not. 603. FICO have millions of people credit score so messed up and causing millions of people to get ahead in life and something really needs to be done about this ASAP. Thank you!
  • Heather on

    Why didn’t they tell us and what are they gonna do to protect us I had a bank employee steal my ss number from a account I opened at 18 and forgot only to get notified 8 years later they had someone’s using it and I had property in Virginia see your as long as they use your right initials your birthday doesn’t run with your ss number I was told so a guy was using mine I’m a girl so I hope they intend to protect immediately
  • Anonymous on

    I am not a number.......I am a Free Man !....
  • Markita banks on

    This isn't acceptable. What does it really mean for experience consumers. Hello.
  • Clara Hart on

    The BBB or Supreme court should fine them to the fullest and shut them down. Give it to another company who cares about people & not about $. Experian's CEO info should be 1st on that list, then all that's involved next. Give them a taste of their medicine & don't leave out all their children's info to.
  • Melissa Baker on

    This is unacceptable and I demand that a lawsuit should be held against them for all Experian users.
  • Jorge sebourne on

    None of the bureaus have accurate information I have been monitoring my credit and all 3 don't match my credit file . When accounts are paid off they still remain as open balances .Updates are well beyonder the required time.
  • Shouldhaveknown on

    It is a damn shame
  • Maria on

    This not this first time they put people in stranglehold with are credit score .....they will all be shut down soon for good!
  • Jennifer F Fife-luster on

    I have tried several times to have credit cards removed that have been closed for 10 years. Their information is wrong dies not update correctly. You can't reach a live person. Nothing but wring info and outdated information
  • Willermine Brookins on

    Just for that blunder, everyone's scores should get an increase by 10-15 points. That would help rectify their mistake.
  • Victoria Ford on

    Experian has been charging my debit card $20 a month since Sept 2020? They told me I signed something allowing them to do so. I have NEVER signed up for any kind of service from them! They said well we can only refund you 1monrh back and didn't care that I NEVER asked for or signed any documents. They sent me a letter saying my information was left online for everyone to see and since it was their mistake I was getting 1 free year of protection services from them.when I called them to ask what letter meant they explained then got more information from me then started charging account. I have stii not received any refunds.
  • Jane on

    The entire credit & fico system is total BS. None of the 3, Experian, Equifax, & Transunion scores ever match. They each have different accounts on them & don’t update at the same time. Things happen in life that are out of our control & we are governed & punished by these credit/fico scores for years!!! It’s not right.
  • Linda Stratton on

    I paid off my mortgage and they lowered my credit score by 125 points and claimed the reason was because the account was closed. Who leaves a mortgage account open. I disputed it with them and nothing changed. This was Trans Union. When you call them you get foreigners answering the phone. What a joke!!!
  • George on

    Get rid of all 3 Credit Score enteties. We are in 21st Century. Start something new, logical, easy to track and dispute.
  • Brian brundage on

    I wonder how to protect asset. if I obtain anything in the computer world it can hacked. I have investments getting jacked and feel like I have no control just a backseat view. Is there any way to protect myself?
  • Alexandra P Matterson on

    what a shame I cancel all my data now why do I pay a fee? wow I'm blowing away by this thank you for this article
  • James Dolen on

    All three of the major credit rating agencies have been compromised big time. First they wait an unconscionable length of time before they even admit it, then try to convince the American people that the damage wasn’t really damage. When will Congress take action against these incompetent bunglers?
  • Anonymous on

    I have been trying to get my correct credit score this year but the 3 credit bureaus are ruining people's lives someone needs to put them out of business for good
  • chibolon on

    Horrible and why I that pay to see my credit report. Building my credit. I Was never told.
  • Plt on

    You're correct about the cavalier way in which data is handled at Experian, however, credit karma uses Vantage scores -- they are not computed in the same way as FICO scores. Apples to oranges comparison.
  • Shawna Little on

    I think they should just wipe the Slate clean for everyone who needs it,!!!
  • Cathy on

    I was part of their first breach and they paid for this software that was to notify when my information was accessed and it was 12 times, 12 hard inquiries i had to pay a company to fight to have them removed. Some refused to remove and has hurt my score since. i was gonna hire the company again since they only charge $150 unlike the law firm who was charging me $100 a month and taking their time at doing it.
  • Anonymous on

    Experian need to pull up their socks and do better. Personally,I don't take them seriously because they don't respond adequately to my disputes and they ask for too many documents for identification when one asks for a copy of his credit report. A company acquired my fico score from experian without my written consent.
  • Antoinette on

    They should bump all.score 31 pts
  • Anonymous on

    I just said this the other day. Experian is also the only score company thats wants you to pay them, for securing it information and also boosting your credit score there's a small disclaimer when you open. It say if you want to protect information to a monthly payment of $19.99 and higher. I think this issue should be investigated by higher Federal office. Experian has the most inaccurate information in their system and it's not fair because it hurts people
  • Gennaro on

    What they need to do now is put everyones credit at 700..
  • gigi on

    No wonder my info has been jacked.....and they are supposed to help
  • Aisha on

    I agree this is just a disaster fir ppl building their credit back up.
  • Wanda Lewis on

    This is unacceptable seriously so now what are y'all gonna do for us?
  • CR on

    All, consider freezing or placing a fraud alert on your credit file. Experian and other Credit Unions are required to freeze or unfreeze your credit file at no charge. See:(https://www.consumer.ftc.gov/blog/2018/09/free-credit-freezes-are-here) Experian hides the process to do this deep in its website. I had to Google ‘free experian credit freeze.’ Understand that you will inhibit your own ability to get instant credit decisions if you place a free fraud alert or credit freeze though It’s not hard to temporarily remove the freeze when you apply for credit etc. Experian makes it easy to “lock or unlock.” (same thing as a freeze) your file if you pay them $24.95 / month. This latest hack and this price increase smacks of Experian, through its own incompetence, of manufacturing demand and profiting for their ‘security services.’

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.