10 Cybersec Takeaways From Experian Credit Score Leak

In 2021, Experian had an API that exposed the credit scores of countless Americans. Threat actors only needed little public information to get someone’s FICO score, and it’s not the first time a breach of this magnitude has happened. So, what takeaways can we get from the Experian credit score leak?

The Experian credit score leak taught us APIs are inherently insecure, paving the way for developers to be more careful. At the same time, it showed users how creative hackers can be with little information and how valuable data is, especially if it falls into the hands of the wrong people.

A data breach is never good news, though it’s difficult to wrap your head around when the leak comes from a large company. It’s even worse when something like this happens to the same business more than once. Understanding what Experian does shows how terrible the leak was.

What’s Experian?

Experian is a data collection company dedicated to consumer credit reporting. It has information on more than 200 million Americans and a billion people worldwide. They’re also well-known for having suffered multiple leaks in recent years.

Experian belongs to the big three reporting companies, alongside Equifax and TransUnion. Two of the big three had suffered one catastrophic data leak in the past – with TransUnion being the exception.

In 2021, Experian suffered its third data breach in less than a decade.

What’s the 2021 Experian Credit Score Leak?

Experian used an API to allow certain companies and vendors to check FICO scores. A vendor only needed a handful of public information (e.g., name and address) to check someone’s score. That allowed threat actors to gather information on countless people.

That costly mistake ended with the exposed credit scores of countless Americans. It’s difficult to put into words or numbers how much damage that caused.

Threat actors walked away with an unknown number of credit scores, meaning criminal organizations may have a database of people they can target.

How Did the Experian Leak Happen?

Experian used an API to automate the information-gathering process certain vendors had to go through. Companies needed a quick and easy way to see if they could approve clients to get a loan, and Experian provided them with a rather unsecure way of doing so.

Companies had to provide the API with basic information to receive a user’s credit score. However, they didn’t need to log in or get an authorization level to do so. In other words, anyone who had access to that public API could get someone’s credit score.

That’s how threat actors took advantage of it.

10 Takeaways From the Experian Leak

1. APIs Are Inherently Vulnerable

We’ve talked about APIs before – and our conclusion wasn’t too happy: APIs are ridden with vulnerabilities from the get-go. Threat actors know about that.

Seemingly safe APIs leave users exposed. The Experian API was supposed to be used by approved vendors alone – and threat actors found a way to use it anyway.

You can’t stop using APIs, though you should be careful when using them, especially if they will collect your data afterward.

2. Most Apps Are Unsecure

Unfortunately, most apps we use are not as secure as they should be. Or, even worse, they’re unsecure through and through.

The Experian leak is the perfect example of what we’re talking about: if one of the biggest credit score companies left such a blatant exploit in their software, what’s the rest of the landscape like?

Even worse, most apps require your data to work – and data is valuable for you and threat actors alike.

3. Data Is Valuable

The Experian leak doesn’t sound like that big of a deal. No credit card or bank account information was leaked, so what’s the worst that could happen? Well, a lot!

Threat actors would love an easy payday, though that’s often not the case. They have to cheat and scam to get money, and any amount of information will help them reach their goal.

Credit scores (the information Experian leaked) help hackers figure out what kind of scam to run. For example, those with a low credit score will receive a phishing attempt in the form of a fake pre-approved loan application.

4. Hackers Will Do Anything for Data

When was the last time a hacker stopped doing harm? Most don’t care about consequences, especially if they’re not the ones who’ll suffer them.

The worst hackers are happy to spread ransomware on networks, infect your home devices with malware, and fool anyone using social engineering.

So, when they see a big company like Experian leave a vulnerability in their API, you better believe they’ll exploit it. For that reason, you should never expose yourself to such a thing, though hackers will always try to overcome any defenses you set up.

5. Threat Actors Are Creative

It took a long while before someone figured out the Experian API leaked data to anyone smart enough to realize what was happening. That’s the thing: you have to be creative to see where the vulnerabilities are.

Threat actors are very creative. They’ll come up with ways to steal information from places regular people are not looking at. Most would look at the Experian API, request information lawfully, and carry on.

It wouldn’t be unlikely that more than one threat actor saw that API and realized they had an opportunity in front of them. That’s how most companies end up breached.

6. Experian Isn’t the First – Nor the Last

The Experian leak was a big one – but it wasn’t the biggest nor the first one. Most remember the 2017 Equifax leak, though that wasn’t the only one in recent history. Geico also suffered a breach not too long ago.

Threat actors will not stop figuring out ways to steal information. For that reason, it’s always a good idea to always be one step ahead of them and expect leaks to happen: share little information whenever possible and never reuse passwords.

Doing so will save you when companies get overconfident.

7. Companies Shouldn’t Be Overconfident

The Experian API exposed the scores of most Americans. It only happened because they overlooked basic security principles. In other words, the mistake that allowed hackers to steal so much information should’ve been noticed and fixed during the early development stages.

So, how come the breach happened anyway? Big companies become overconfident over time. They also get clumsy: these companies have to release new products all the time, and mistakes are bound to happen when you’re in a rush, especially when you think you’re too big to fail.

8. Users Shouldn’t Trust Companies (Even Big Ones)

Users don’t trust startups with a lot of their information – and that’s a good thing! In contrast, they seem happy to give every detail to big companies like Amazon or Meta – and that’s not as good.

You have to view trusting companies as a deal: you have to get something in return, and what you get should be so good it outweighs the risks of a possible leak.

That’s right: everything you upload to the internet could be bound to appear in a data breach, no matter how good or secure the company you give your information to is.

9. The Internet Isn’t as Safe as Most Think

People should go back to the way most people thought 20 years ago: never share too much information online, shy away from uploading your pictures online, and restrict your internet use.

Nowadays, people think the internet is a safe haven for anyone. That’s not the case – even if social media has a huge number of people acting happy, go lucky with their information.

That doesn’t have to be you! The less you share, the less susceptible you’re to leaks. That’s why cybersecurity is so important.

10. You Should Worry About Cybersecurity

Users should never take cybersecurity for granted, though that’s what often happens. It doesn’t matter if they do so willingly or otherwise – consequences are always drastic.

It doesn’t have to be that way! You can take good care of your information without doing much effort: connecting to secure networks alone, never sharing too much information online, and routinely scanning your devices for malware.

Of course, you can’t do much to prevent a company like Experian from leaking your credit score. However, that doesn’t mean you don’t have the tools to bounce back from a data breach.

What To Do After a Data Leak?

  • Check the Scope of the Breach. You need to know what hackers have before you act. You can’t do much if they stole your credit score, though that’s not the same if they have your bank account login credentials. Change what you can and monitor what you must.
  • Monitor Your Bank Accounts. Hackers steal FICO scores to figure out who to target. A low credit score makes you the perfect victim for a phishing attempt (e.g., they’ll send you a fake email with a pre-approved loan). A high credit score makes you the perfect target for fraud.
  • Contact the Affected Companies. Sometimes, a leak will affect third parties unaware of the issue. For example, a threat actor may steal your credit card information from a vendor. In that case, you have to contact the credit card company.


U.S. Cybersecurity realizes that after 2021, we’re left with plenty of Experian data breach lessons, including the value of personal information, how creative hackers are with data, and the importance of taking care of your cybersecurity: you don’t have to cut ties with all companies, though you have to act as if a breach is always possible, no matter how big the company.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.