Months prior to its catastrophic data breach, a security researcher alerted Equifax that it was exposed to the kind of attack that later negotiated the personal data of more than 145 million Americans, News has learned. Six months after the researcher first reported the company about the vulnerability, Equifax covered it but only after the large breach that made headlines had already taken place, according to Equifax’s own timeline.
Late last year, a security researcher began looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after looking the company’s public-facing infrastructure, the researcher couldn’t believe what they had discovered. One particular website provided them to access the personal data of every American, including social protection numbers, full names, birthdates, and city and state of residence, the researcher told News.
The site seemed like a portal made only for workers, but was completely exposed to anyone on the internet. It displayed several search fields, and anyone with no authentication whatsoever could force the site to display the individual data of Equifax’s customers, according to the researcher. The news saw multiple sets of the data they were able to access.
“I didn’t have to do anything fancy,” the researcher told News, explaining that the site was vulnerable to a basic “constrained browsing” bug. The researcher asked anonymity out of professional concerns.
Take your time to comment on this article.