In the wake of last week’s announcement that Russian hackers had obtained 1.2 billion user ids with passwords, the FTC issued some guidance that included changing our passwords. But while people may change their passwords to their own accounts, will they think to change passwords to databases that don’t hold their data, but others’ personal information? I’m not sure they do.
DataBreaches.net reached out to the three big credit-reporting brokers to inquire as to whether the announcement had resulted in any changes for them.
Because Experian has experienced over 100 data breaches involving its credit report databases due to client login credentials being misused to gain access, it seems possible that at least some login credentials were among the username/password combinations acquired by hackers. So has anything changed in Experian’s client login authentication or have they forced a password reset for clients?
In response to my query, Experian sent the following statement:
We are monitoring very closely and there is no indication or evidence that our systems have been impacted.
Okay, I understand that forcing a password reset for numerous clients can be headache-inducing, but I hope that firms that have access to credit reporting databases do think to change their passwords. After all, it’s our data in the credit report databases that’s at risk.
Neither Equifax nor TransUnion responded to DataBreaches.net’s inquiry as of the time of this posting.
Given the fact that credit bureau files are extremely damaging when breached, I’d think a password reset might be in order for all Big Three. Add to that the fact that Experian has a long string of credentials-related data breaches, I would hope they act first.
This is an important angle I have not seen discussed elsewhere. Good thoughts. Let’s get a discussion rolling.