An Experian product that allows organizations to verify customers’ identity could be exploited to expose partial Social Security numbers, a researcher found through testing several organizations that use the product.
The researcher, who asked to be identified only by the online handle Lucky225, first detailed the security issue in a September Medium post after finding it when trying to register for the Pacific Gas and Electric Company. Lucky225 contacted CyberScoop after identifying three additional clients using the same function — two healthcare companies and a state health agency’s vaccination verification system.
The problem with making it easy for bad actors to access a partial SSN is that those four digits provide a gateway for attackers to take over other services and devices.
“It is essentially the same as having your password,” Lucky225 explained.
