It didn’t seem possible, but Equifax may have screwed the pooch even harder than previously thought.
Several months before the devastating data breach, which compromised the personal data of more than 145 million Americans, the company was apparently warned about a vulnerability in its public-facing infrastructure that would allow virtually anyone to view the data. It reportedly took no action. The vulnerability was eventually patched, but only after the data was stolen. Equifax then waited an additional 41 days after discovering the problem to inform the public.
This new information was first reported on Thursday by Motherboard, which spoke to the security researcher who discovered the vulnerability and reviewed evidence of their find. The revelation raises new questions about the breadth of the exposure, the site says, and further suggests that more than one hacking group may have acquired access to the data.
The researcher requested anonymity to discuss the matter and Gizmodo has not independently confirmed the findings. After discovering the vulnerable Equifax website, Motherboard reports, the researcher realized that it provided access to the personal data of millions upon millions of Americans—names, dates of birth, social security numbers, and more.
“All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” the researcher reportedly said.
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.