And the hits just keep coming for Equifax, the once-trusted credit-monitoring firm that has been embroiled in one of the biggest corporate public-relations disasters in recent memory since disclosing that hackers had penetrated its cyber security defenses and absconded with sensitive personal and financial data belonging to 143 million Americans. Because of the types of data that were stolen, including drivers’ license, social security and credit-card numbers, experts have described the hack as possibly the most damaging corporate hack yet.
As if this weren’t enough to permanently sully the firm’s reputation (amid cries of “you had one job!”) – the staggering irony of a credit monitoring firm inadvertently divulging the sensitive information that it was supposed to safeguard hasn’t been lost on consumers) a series of subsequent disclosures have portrayed the firm’s executives as bungling, at best, and nefarious, at worst.
In the nearly two weeks since the story broke…
When Equifax first set up a website to allow consumers to check whether their information was compromised, it carried a waiver stating that by using the service consumers would forfeit the right to sue Equifax. The internet quickly exploded in outrage, and the company quickly clarified that the waiver didn’t apply to this hacking incident, which…sure. Now, The Verge, The New York Times, and a handful of other media outlets are reporting that Equifax accidentally tweeted the link to an impostor website set up by a white-hat hacker hoping to expose glaring errors that the firm had made in setting up its verification website. This happened not once, but three times. And in at least one instance, the tweet with the phony link was left up for a whole day.
Here’s The Verge:
“Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.”
Luckily for consumers, the fake site wasn’t malicious. Instead, it was set up by developer Nick Sweeting to try and expose the glaring security vulnerabilities that the company had embedded in its recovery website, which it set up as a separate domain, rather than making it a subdomain of Equifax’s main website.
“Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”
Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. Still, Equifax’s team linked out to his page. That isn’t reassuring.”
Not only did they tweet the wrong link, they tweeted it 3 times. #Equihax pic.twitter.com/T8jrhSfhqw
— Nick Sweeting