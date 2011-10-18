The (since fixed) bug would allow anyone who knew a person's name, address, social security number, and date of birth to have a PIN cod[sic] sent to an email address of the attacker's choosing. Recovery questions designed to prevent account theft could be circumvented by setting all answers to "none of the above."

"The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account," Nerdwallet explained.

"Answering 'none of the above' to the security questions — even if some of the proffered answers were correct — gave access to that person's PIN."

Armed with that PIN, the attacker would then be able to break the credit freeze and apple to open new accounts in the victim's name. This is particularly bad in the case of Experian, as one of the main reasons for setting up a credit freeze is to mitigate the leak of precisely the private information – social security number, and date of birth – used to retrieve the PIN.

[...] Though there is no indication that the flaw was ever actively abused, the findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches, including one at Experian in 2015 that involved the records of 15 million T-Mobile US customers.