Keep an eye on your Experian accounts: Some profiles hijacked using personal info
Experian customers are reportedly at risk of having their accounts hijacked by fraudsters who only need a victim's personal information and a different email address to recreate an account in their name.
Infosec blogger Brian Krebs wrote in a column Monday that over the past month he was contacted by two readers who said their accounts at the consumer credit bureau had been compromised, and assigned new email addresses, despite using strong passwords for those accounts. Their account information, such as its PIN and secret question-answer pair, were also changed.
It appears it is possible to convince Experian to recreate someone's account, with a new email address, using that person's personal details, such as a social security number that may have leaked, and public records. At that point, the account password can be set by the miscreant, and subsequent requests to reset the password by the real owner to take back control will be sent to an email address they don't have access to.