Researcher Claims Equifax Systems Contained Second Breach-Vulnerable Flaw

Image courtesy of Eric Norris

Could Equifax have suffered a second data breach following the massive hack exposing the personal information of more than 145.5 million consumers? It’s possible, according to a security researcher who claims to have found a second, separate security vulnerability within the company.

Motherboard reports that in late 2016, a security researcher tipped off Equifax to a security flaw after finding a webpage that could have allowed anyone to access the personal information of consumers.

According to the researcher, just a few hours after he began looking at Equifax’s servers and websites he found an access point to consumers’ Social Security numbers, full names, birthdates, and city and state of residence.

A webpage on Equifax’s system appeared to be a portal for employees, but was actually available to anyone on the internet, Motherboard reports.

The researcher said the page included a number of search boxes that anyone could force to display the personal data of Equifax customers.

The vulnerability, dubbed a “forced browsing” bug, allowed the researcher to compile several lists of customers’ personal information, Motherboard notes, after seeing the data.

“All you had to do was put in a search term and get millions of results, just instantly — in cleartext, through a web app,” the researcher said.

In addition to uncovering the flaw to gather personal data of customers, the researcher says he was also able to take control of several Equifax servers and find several other smaller bugs.

The discoveries, which occurred in December, were quickly reported to Equifax, the researcher tells Motherboard.

“It should’ve been fixed the moment it was found,” the researcher says, noting that the site remained up until June when Equifax finally took it down.

While this particular vulnerability hasn’t been tied to the massive data breach that Equifax suffered for several months this year — that hack was the result of a vulnerability in the Apache Struts software used in the company’s disputes portal — it shows that there were a number of ways hackers could have accessed the company’s data.

It also further illustrates that Equifax was not prepared to handle a breach or keep consumers’ data secure.

Equifax declined to provide comment to Motherboard on the issue, noting that, “as a matter of policy, Equifax does not comment publicly on internal security operations.”

Consumerist has reached out to the company for comment, we’ll update this post if we hear back.