The site looked like a portal made only for employees, but was completely exposed to anyone on the internet. It displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax's customers, according to the researcher. Motherboard saw multiple sets of the data they were able to access."I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns.
"All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app."
While probing Equifax servers and sites, the researcher said that they were also able to take control—or get shell access as hackers refer to it—on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection, a common, basic way of attacking sites. Many servers were running outdated software. According to one analysis performed in early September, Equifax had thousands of servers exposed on the internet, indicating both massive sprawl and loose control of its infrastructure, which increased the company's attack surface.After discovering all these issues in December, the researcher said they immediately reported them to the company."It should've been fixed the moment it was found. It would have taken them five minutes, they could've just taken the site down," they told me. "In this case it was just 'please take this site down, make it not public.' That's all they needed to do."
The researcher's findings, in other words, showed there were multiple ways into Equifax's networks. Months later, the hackers, who stole the records of 145.5 million Americans and 700,000 Brits, exploited more than 30 different servers, according to Bloomberg. Considering all the bugs and vulnerabilities they identified, the anonymous security researcher is convinced Equifax wasn't just hacked by one group of attackers."If it took me three hours to find that website, I definitely think I'm not the only one who found it," they said. "It wasn't just one breach. It was maybe dozens."Equifax declined to answer any specific questions about the researcher's findings. "As a matter of policy, Equifax does not comment publicly on internal security operations," the company told me in a statement.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
"Nobody took that security audit seriously," the former cybersecurity team employee told me. "Every time there was a discussion about doing something, we had a tough time to get management to understand what we were even asking."When I asked a current employee on the cybersecurity team to confirm this fact, they replied that they weren't sure about Deloitte specifically because Equifax brings in security consultants regularly. A Deloitte spokesperson declined to comment, saying "confidentiality prohibits us from confirming or discussing client engagements."
"Given the amount of data they have access to and the sensitivity of it, security isn't at the forefront of everybody's mind, not how it should be."