Sophos Cloud Optix
Earlier today we revealed how hackers had managed to publish the credit reports and personal information of a number of public figures on a newly-created website.
Victims include celebrities such as Beyoncé Knowles, Ashton Kutcher, Paris Hilton and Britney Spears – as well as public figures such as US Vice President Joe Biden, Hillary Clinton and Michelle Obama.
In that earlier article I wrote:
The nature of the content - names, social security numbers, previous addresses, dates of birth, etc - suggest that a credit agency might have been compromised in some fashion. Whether an agency was actually hacked, compromised in some other fashion, or whether an insider within the organization leaked the data, is impossible to say at this point.
Well, now some of the United States’ top credit bureaus have come forward and acknowledged that fraudulent and unauthorized access to the records of well-known figures have taken place.
According to Bloomberg, Equifax Inc and TransUnion Corp have confirmed that sensitive, personal-identifying information about celebrities and public figures has been taken from their systems.
Bloomberg goes on to say that a third credit reporting agency, Experian, is investigating whether any of its data was compromised.
What’s clear, however, is that the details belonging to Paris Hilton that were posted on the website do appear to have originated from the firm.
The three companies jointly run a website – annualcreditreport.com – which is designed to give users free access to their own credit reports.
Some of the information posted on the hackers’ website (which we have chosen not to name) references annualcreditreport.com, suggesting that hackers might have found a way to exploit the online portal to scoop up sensitive information.
Many questions remain as to whether this was a straightforward hack, or if the hackers were able to gain unauthorised access to the data via other means.
One possibility is that the hackers were able to scoop information up off the net about particular individual public figures, and then use that to successfully impersonate their targets and access credit histories.
I think we can all feel confident that the authorities will be keen to identify those responsible for the security breach as soon as possible – especially as those exposed include the head of the Los Angeles police force Charlie Beck and FBI Director Robert Mueller.
Naked Security has chosen not to publish the name of the website which has published the personal information of the public figures, as it is currently still available, and has redacted the images above.
Hacking is really getting out of control. We need a programmer that can come up with a fool proof program to defeat them, and I mean FOOL PROOF.
I'm a little surprised anyone is doing anything about this. No one is liable and certainly not accountable for any of the information held by credit bureaus. The hackers could have put the details of the people behind the curtains (assuming humans work there) if they wanted to be interesting. Waste of a hack imho.
BTW – these are places that let you create an account and password, but never let you delete it. It was my first experience with this sort of permanent account. I only set up one, and it will exist as long as computers do, but I will never do another again until I'm forced to by something I need, like health insurance or a drivers license.
When I view this page without enabling Javascript, I see a comment from Scott. When I enable everything except social media through NoScript, it says I'm posting the first comment. That's weird.
Anyway, part of me wishes they would just leak everyone's social security numbers and get it over with. They were never intended to be identification numbers for anything other than social security. Everyone I have ever worked for had a legal right to know mine (and at least one of them is hopefully in jail by now). Knowing someone's social security number should never have been considered proof of identity, and when every last one of them is public, the lenders will have to stop treating them as such.
I'm sorry, they didn't just steal celebrities. They stole maybe everyone. So, what good is it that equifax is a one way access to your credentials, forget privacy, they have been hacked, and I have been spammed.
I'll explain: I have my own domain, (not disclosed) and as such, I create unique emails when I give out or register on a site. Later authenticated. I've noticed since March a wealth of emails being sent to me at two accounts setup and only known to equifax.
equifax at my domain
equifax-db at my domain
Since March, I am getting duplicate emails (one to each unique email) for SmartLash, Discounted Windows, Background Check Alert, etc. That that was just today. Bewen happening since at least March!!
Equifax should disclose that they've given out your emails; and most likely, also given out your personal/confidential inforamtion. Worse, they are the keepers of personal financial confidential information. The damage is not reversable. Way to go Equifax
Of course for me to get a copy of my own information I need to autenticate myself. When Equifax, by their carlessness, gives out that same confidential information to hackers/spammers.
Personal accounts should be protected from hackers.