Experian is known for having serious security flaws. Not only did they allow huge data breaches in the past, they also haven’t addressed a dangerous account vulnerability issue that allows bad actors to change the email address tied to any account with a few key bits of information. This can be extremely dangerous since once someone has access to your account, they can unfreeze your credit with a click of a button. Once someone signs into your account, no further info is required to unfreeze your credit. If you’re one of the unlucky ones who have had their Experian account email changed, don’t worry, we’ve got you. Follow these steps to recover your account. But first, here’s how to tell if you account has been compromised in the first place.
Is Your Account Compromised?
If you’ve been a victim of identity theft, there’s a good chance your attackers may try to compromise your Experian account. (And I mean specifically your Experian account due to the vulnerabilities noted above.) It’s incredibly important to monitor your Experian account since it’s shockingly easy to unfreeze a credit account once an attacker has gained control. In order to identify whether or not your account is compromised, go to Experian’s sign in page by going to experian.com and clicking the “Sign In” link at the top right corner of your screen. From there, follow the “Forgot Username” link. You’ll be asked to input some info like your SSN and date of birth. Once you’ve submitted this form, it’s going to show you the redacted email address your username was sent to. If you don’t recognize this email, OR you never receive an email from Experian with your username, your account may have been compromised. Here’s what to do.
Use The Exact Same Exploit Your Attacker Used
The one good thing about Experian’s crappy online security is that it’s just as easy for you to take control over your account as it was the hacker. You can just use the same security exploit the identity thief used. Their big security issue, is that Experian allows anyone to create an online account in your name if the attacker has the right info. So that’s what we’ll do, go to Experian’s website and follow the big link on their homepage that says “Get Started.” This may seem weird if you already have an account, but it works. It will let you regain access to your account without knowing your password or PIN. Once you follow the link, you’ll be given a couple random questions about your past. They pull these questions directly from your credit report, so they have to do with borrowing you’ve done, or often past employment. For example if you’ve taken out a loan for a car, they may ask you what bank you took the car loan out from. Once you answer these questions, you’ll get access to your account.
Protecting Your Account
That was easy. Too easy unfortunately. Theoretically your identity thief can go through these steps again just to regain access. The security questions which are meant to keep anyone that isn’t you out may work. But they also may not if the attacker is persistent. Plus things like employment history are searchable online if they’ve found your LinkedIn or other online profiles.
So this begs the question, how do you keep your attacker out since they can theoretically just re-hijack your account?
If You Get This Email: Sound The Alarms
The answer is boring and not fool-proof. That’s because technically you can’t keep them out of your account. At least not until Experian addresses this exploit. It’s extremely frustrating, but there is one thing you can do to try to keep control of your account. Look out for an email from Experian with the subject “Notification: Change of email address notification.” This is your canary in the coal mine that someone has hijacked your account. When you get this email, it’s time to follow the above steps to regain control over your account and re-freeze your credit if necessary. Double checking that your credit is still frozen regularly is key. Your credit being unfrozen with even one of the credit agencies can be dangerous.
Are You Safe If You’re Still Frozen With TransUnion and Equifax?
So you’ve frozen your credit at all 3 agencies, but a fraudster was still able to unfreeze your credit with Experian. Are you still safe? The answer is no. Absolutely not. You need your credit frozen at all three big credit agencies to be fully protected. The trick here, is that certain lenders use certain agencies to decide who gets a loan. For example, if a lender only uses Experian to vet their potential customers, then they may never even see your credit is frozen if your Experian account isn’t frozen. This means an identity thief could unfreeze your Experian credit and take out a loan in your name with a lender who only uses Experian. Granted most reputable lenders pull your credit from multiple agencies, but that doesn’t mean there still aren’t some shady lenders out there who aren’t willing to put in the work before they dish out a loan.
Is A “Credit Lock” Worth It?
Being on the phone with a credit agency is the worst. They are usually much less concerned about the security of your identity, than they are with selling you their services. One of these services is often some form of a “credit lock”. They claim their “credit lock” will protect you from identity thieves. Are these services worth it? Before we answer that, let’s recap the difference between a “credit lock” and a “credit freeze.” With a credit freeze, the credit agency (whether it be Experian, Equifax, or TransUnion) will not allow a loan to be taken out in your name whatsoever. This service is provided for free. On the other hand, a credit lock is a very similar service with a few bonus perks such as “monthly privacy scans.” The caveat is of course, there’s a monthly fee. Honestly, if you freeze your credit, and monitor your emails, we really don’t think it’s worth the extra money.
What Can You Do For Damage Control?
In more cases than not, you’re discovering your identity was stolen after it’s too late. The fact is, most people don’t bother monitoring their credit as closely as you should. If somebody has racked up a bunch of debt in your name, and destroyed your credit, there is help. The main solution is IdentityTheft.gov, a governmental agency to assist with the damage an identity theft can cause. They can provide certain things a private company can’t, so we recommend this one first. On that note, it is extremely important to file a police report as soon as possible. You’ll need the police report when you go to remove late payments from your report.
Monitoring your Experian account is a hassle. Honestly, it’s probably the last thing you want to do when you’re dealing with identity theft. It can set your progress back. But all hope is not lost if your account is taken by a fraudster. You can get it back just as easily as they were able to steal it. However the real hope is that Experian steps up their security game, and fixes this exploit. Fingers crossed.