Back

A Boston news station recently interviewed a local man who had his Experian account hijacked after he'd frozen his credit with the big three consumer reporting bureaus. It's unbelievable that Experian still hasn't done jack about this problem that I've written about ad nauseum for years now. (try to ignore the many typos and grammar errors in this story).

https://www.boston25news.com/news/local/25-investigates-sutton-man-turned-credit-bureau-credit-protection-it-led-identity-theft/4LQOGEXFTBE5DJUIROK23E32IU/

Experian's system will allow anyone to assume control over your credit file and freeze merely by re-registering as you using your name, SSN, DoB but a different email address than the one on file. Experian has no problem approving that request, and instead of seeking approval from the existing email address and or phone number, they just say okay. Thieves can then unlock your credit, pull your file, apply for credit, etc. But they will send an automated email to the legitimate account holder's email, saying the account's email address has been changed. No "this wasn't me" option, no asking for approval. Nope. They just say hi we changed your email. Have a nice day!

Experian's response to the Boston news outlet is particularly infuriating, because they're basically saying the system operated as designed. Nevermind that the system is batshit crazy from a security in 2025 perspective.

"A spokesperson told us their protocols worked since Deyoe got that notification when his account was changed. In a written statement Experian said “Protecting consumers’ identities is among our highest priorities. We believe this is an incident of fraud using stolen consumer information.”

Past coverage of this:

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/