API Hole on Experian Partner Site Exposes Credit Scores

Student researcher is concerned security gap may exist on many other sites.

A student and security researcher recently informed credit-reporting bureau Experian about a vulnerability on a partner website that lets anyone look up credit scores with only a name and mailing address.
KrebsOnSecurity is reporting the incident after receiving the tip from Rochester Institute of Technology sophomore Bill Demirkapi. The student says he discovered the leak when looking online for information on student loan vendors.
One of the lender sites offered to check his loan eligibility by entering his name, address and date of birth, Demirkapi says. He eventually discovered the code behind a page was using an application programming interface (API) that could be accessed directly without any sort of authentication. He made this discovery by entering all zeros in the “date of birth” field, which let him then pull up a person’s credit score.
Demirkapi says he alerted Experian but did not provide the name of the lender or the website where he made his discovery because he was concerned the weakness existed on similar lending sites. KrebsOnSecurity reports Experian appears to have figured out on its own which lender was exposing the API. API access appears to be disabled now.
The full report can be found
here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
API Hole on Experian Partner Site Exposes Credit Scores