Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • Gorf123
    • By Gorf123 16th Apr 15, 3:35 PM
    • 63Posts
    • 35Thanks
    Gorf123
    Experian email and password alert
    • #1
    • 16th Apr 15, 3:35 PM
    Experian email and password alert 16th Apr 15 at 3:35 PM
    Hi, all.

    I just got an alert from Experian that my email address, and the password I use to access it, is being sold on the open market. I've changed the password just to be safe, and checked which online accounts use that address - none that can be used to rip me off, as it happens.

    My question is: How do they know that it's my email password? If they hacked into (say) my Apple account and picked up the password for that account, then they have a password associated with my email address, just not the password required for direct access.

    Are they just saying that there is my email address and a password being sold, or is there any further evidence to suggest it's really the email server password?

    Thanks for reading...
Page 2
    • spoovy
    • By spoovy 23rd May 16, 5:08 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    I've just had the exact same message, 48 hours after joining up. I work in ICT security and I am very, very sceptical that their claims are true. I have asked for full details.

    If this is just a scam then it really should be criminal in my opinion. Cyber security is not a joke, particularly for those of us who's careers depend on it. You should not be allowed to pretend to have uncovered crimes when you have not.

    If they have indeed found my password and login details online somewhere then they should tell me exactly where they found them. If some company contacted you to say they had found a copy of your house keys you would expect them to give more details wouldn't you? You would not just change your locks and forget about it.

    I would love to hear the opinions of other forum members as to the legality of these claims if they are as I suspect completely fabricated.
    • villagio
    • By villagio 24th May 16, 10:07 PM
    • 2 Posts
    • 2 Thanks
    villagio
    For what it's worth, I've just had one of these messages from experian for the first time and have had their web monitoring and/or full access for a few years on and off.
  • Experian company representative
    Hi Spoovy and Villagio,


    I understand that you have been contacted through our Web Alert service, and appreciate that this can be concerning.

    The Web alert service is part of CreditExpert membership.
    As a CreditExpert member you can choose what information you would like to be monitored, such as an email address or passport details. We will then scan the internet for this information, and if it is appears in any unsecure or suspicious locations we will send you an alert.

    If you don’t want to use the service then you are able to turn it off by clicking on the Web Monitoring Settings section when logged into CreditExpert.


    We will never ask for your password, and we do not test any that are found, we will just notify you that the information has been located and suggest possible actions to protect it.


    For security we are not able to provide you with any password that have been associated with the email or the exact location of the information.


    You can find out more about the service here.


    Kind regards
    Neil
    Last edited by Experian company representative; 25-05-2016 at 11:47 AM.
    Official Company Representative
    I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"

    Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen
    • spoovy
    • By spoovy 25th May 16, 9:29 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    Neil

    The alert reads, exactly:


    'What have we found?
    Your email address <redacted> and the password you use to access it
    Why do I need to know?
    They are being sold together online by illegal black market communities. This puts you at high risk of becoming a victim of fraud.'


    This is an enormous claim to make without any evidence to back it up, particularly given the high degree of security that I have placed this password under. If the claim is true then it will require a significant investigation into how the password was leaked, and it will potentially impact other organisations which may have to do the same.

    I need to know with some urgency if this claim really is true. There are any number of ways you can prove it to me in complete security, if it is true.
    • spoovy
    • By spoovy 26th May 16, 1:09 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    So after 40 minutes on the phone to Experian and speaking to three different people, I'm none the wiser. They refuse to tell me exactly what they have found, or where they have found it.

    They have gone off to have a think about it and say they will get back to me.

    I'm starting to think that what they have actually found is the email address in question and a string of characters associated together. They have then jumped to the conclusion that this is the password used to access the mail service. This would be a completely ridiculous assumption of course, given the number of websites, applications etc. which take an email address as a user ID.

    I await the call with more information.
  • Experian company representative
    So after 40 minutes on the phone to Experian and speaking to three different people, I'm none the wiser. They refuse to tell me exactly what they have found, or where they have found it.

    They have gone off to have a think about it and say they will get back to me.

    I'm starting to think that what they have actually found is the email address in question and a string of characters associated together. They have then jumped to the conclusion that this is the password used to access the mail service. This would be a completely ridiculous assumption of course, given the number of websites, applications etc. which take an email address as a user ID.

    I await the call with more information.
    Originally posted by spoovy
    Hi Spoovy,

    I’m sorry we have been unable to provide you with the password that has been found through our Web monitoring alerts system.
    I appreciate your concerns and from your posts I am lead to believe the system has found a username which is in this case is your email address and a password alongside this. This has been found on the Dark Web which cannot be accessed through ordinary browsers and contains a lot of illegal web space, as such the system that scans the web does not return us the location or password that has been found for security reasons. If the system finds the data on a website that is on the open web it would provide you with the location but in this instance due to where it’s been found it’s not returned for security reasons.

    The alert is to make you aware when information is found, the ‘password’ the system found may well be a string of text that isn’t related to your actual passwords. When the system does find data it believes to be your own, we feel it is important to make you aware for your own safety.

    I will pass your feedback on to our Web Monitoring team about the wording of the email and alert, but we do feel our customers safety is a priority so when the system does find data is believes could result in fraud we will make the customer aware.

    We always recommend changing your passwords when an alert like this is found, as it may well be your actual password found. For more tips on staying safe from fraud you can check out of ID fraud website here.

    If you have any further queries about this you can email me directly on uksocialsupport@experian.com just include your reference number, name, dob & address for security.

    Regards
    Joe
    Official Company Representative
    I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"

    Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen
  • jamesd
    Joe,

    The wording of the message seems very poor, apparently falsely claiming a security problem that hasn't happened and misleading people away from the real potential problem.

    "What have we found?
    Your email address <redacted> and the password you use to access it"

    That is a clear claim that the email address and the password used to access the email server have been found together. Appropriate reaction to receiving that and taking it as a genuine report would be to change the password at the email service provider and notify the email service provider that their system may have a security vulnerability that has allowed the details of their accounts to be accessed. That is, an assertion that say gmail, or yahoo or some other mail service provider has a significant security problem that needs very urgent action by them because millions of their customers may be affected. While one ethical action by Experian is to tell the Experian customers, telling the email service provider is also necessary in this situation.

    But that probably isn't really what was found and Google, Yahoo or whoever don't need to jump to immediate action in response to the Experian report.

    The possible real problem is probably that the email address and possible password used to log in to some web site has been found. Since the email is saying that the problem is with the email server there's no reason to change these other passwords but that is what would be required if this is the cause of the email being present.

    But it gets worse. It's quite common for people to use one email address with different passwords at different sites. If the site has a vulnerability all that may happen is that any new password will be compromised soon after it is supplied to the site with the problem. Not going to do a lot to improve the security position of the Experian customer when their new password shows up on a list of recently changed and hence higher value passwords.

    To make the message truly actionable in some sensible way it is necessary to provide sufficient information to identify the site that may have a security vulnerability. When a shared email address is in use that requires disclosing some part of the password or, less desirably, providing a way to check whether a list of hundreds of possible passwords used at hundreds of different sites is what was found. Hopefully it's clear why knowing something about the supposed password is needed, given the number of possible passwords to check or change.

    Good idea to provide the service, but it's being let down on the actionability by the customer side.
  • Experian company representative
    Joe,

    The wording of the message seems very poor, apparently falsely claiming a security problem that hasn't happened and misleading people away from the real potential problem.

    "What have we found?
    Your email address <redacted> and the password you use to access it"

    That is a clear claim that the email address and the password used to access the email server have been found together. Appropriate reaction to receiving that and taking it as a genuine report would be to change the password at the email service provider and notify the email service provider that their system may have a security vulnerability that has allowed the details of their accounts to be accessed. That is, an assertion that say gmail, or yahoo or some other mail service provider has a significant security problem that needs very urgent action by them because millions of their customers may be affected. While one ethical action by Experian is to tell the Experian customers, telling the email service provider is also necessary in this situation.

    But that probably isn't really what was found and Google, Yahoo or whoever don't need to jump to immediate action in response to the Experian report.

    The possible real problem is probably that the email address and possible password used to log in to some web site has been found. Since the email is saying that the problem is with the email server there's no reason to change these other passwords but that is what would be required if this is the cause of the email being present.

    But it gets worse. It's quite common for people to use one email address with different passwords at different sites. If the site has a vulnerability all that may happen is that any new password will be compromised soon after it is supplied to the site with the problem. Not going to do a lot to improve the security position of the Experian customer when their new password shows up on a list of recently changed and hence higher value passwords.

    To make the message truly actionable in some sensible way it is necessary to provide sufficient information to identify the site that may have a security vulnerability. When a shared email address is in use that requires disclosing some part of the password or, less desirably, providing a way to check whether a list of hundreds of possible passwords used at hundreds of different sites is what was found. Hopefully it's clear why knowing something about the supposed password is needed, given the number of possible passwords to check or change.

    Good idea to provide the service, but it's being let down on the actionability by the customer side.
    Originally posted by jamesd
    Hi James,

    I can totally understand his concerns based on the email alert received and can appreciate that Spoovy and others customers who have received this message would be annoyed that in these cases the location and what password has been found cannot be provided.

    The email alert won't have said the email server password was found but just that the email address and password used to access this has been found. I agree these emails are not very clear and could be worded better. I have passed the feedback about this myself to the team.

    If Spoovy emails me directly with their membership details I will raise this with our Web monitoring product team directly to see if they are able to provide any further details on what the system found due to the nature of the case.

    Hopefully it is something as simple as his email address being on some dark web spam list and nothing that could cause any considerable harm, but we do send these alerts in this way so that customers can take them seriously when they arrive.

    Regards
    Joe
    Official Company Representative
    I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"

    Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen
    • spoovy
    • By spoovy 30th May 16, 8:31 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    Joe

    Email is not a secure way to transmit sensitive information. I am a little concerned that Experian keep asking me to do this.

    Regarding the main subject, unfortunately, I feel you are still not really grasping the problem. You stated in your last post directed at me:

    ..the ‘password’ the system found may well be a string of text that isn’t related to your actual passwords [but] We always recommend changing your passwords when an alert like this is found, as it may well be your actual password found.
    This assumes that changing passwords is a simple thing to do; a precautionary measure with no associated costs. In many cases this is true but in many it is not. In my particular case if the claim made in the alert were true it could mean that an encrypted password database has been leaked and cracked, compromising hundreds of passwords used at companies I do work for as well as my own personal ones. I would have to carry out an investigation into how this database became compromised. This would at the very least cost me a lot of time (and therefore money), and at worst, well I'd rather not think about it.

    I'll use a non-ICT analogy. If a company contacted you out of the blue to tell you they had found a set of keys in the possession of a known criminal, along with a map with your business premises circled on it, but they refused to provide any evidence of this claim, what would you do?
    1. Spend tens of thousands paying to have all your locks changed and a new security system put in? No you would not, because quite apart from the cost the real issue would be how did this criminal come by your keys in the first place? Is someone culpable? Was someone you trust involved? And what if you did spend tens of thousands on these measures, sacked your head of security as a precaution, and then found out that the claim was a hoax all along? Well I need not spell out the implications there.
    2. Perhaps you would dismiss it as a hoax and sleep soundly afterwards? Again, no you would not, as you could never be sure it was a hoax and your insurance company would probably look very dimly on your inaction.

    Hopefully you're seeing my point. The claim the alert makes is so significant that it must be explained in adequate detail, and if necessary backed up with evidence, otherwise I cannot know how to act and I am left in an extremely difficult situation.

    I think Experian need to start taking this a lot more seriously, very quickly.
  • jamesd
    The email alert won't have said the email server password was found but just that the email address and password used to access this has been found.
    Originally posted by Experian company representative
    Those two phrases have the same meaning in this context: the password the customer uses to access the email server to collect email for that email address.
  • Experian company representative
    Joe

    Email is not a secure way to transmit sensitive information. I am a little concerned that Experian keep asking me to do this.

    Regarding the main subject, unfortunately, I feel you are still not really grasping the problem. You stated in your last post directed at me:



    This assumes that changing passwords is a simple thing to do; a precautionary measure with no associated costs. In many cases this is true but in many it is not. In my particular case if the claim made in the alert were true it could mean that an encrypted password database has been leaked and cracked, compromising hundreds of passwords used at companies I do work for as well as my own personal ones. I would have to carry out an investigation into how this database became compromised. This would at the very least cost me a lot of time (and therefore money), and at worst, well I'd rather not think about it.

    I'll use a non-ICT analogy. If a company contacted you out of the blue to tell you they had found a set of keys in the possession of a known criminal, along with a map with your business premises circled on it, but they refused to provide any evidence of this claim, what would you do?
    1. Spend tens of thousands paying to have all your locks changed and a new security system put in? No you would not, because quite apart from the cost the real issue would be how did this criminal come by your keys in the first place? Is someone culpable? Was someone you trust involved? And what if you did spend tens of thousands on these measures, sacked your head of security as a precaution, and then found out that the claim was a hoax all along? Well I need not spell out the implications there.
    2. Perhaps you would dismiss it as a hoax and sleep soundly afterwards? Again, no you would not, as you could never be sure it was a hoax and your insurance company would probably look very dimly on your inaction.

    Hopefully you're seeing my point. The claim the alert makes is so significant that it must be explained in adequate detail, and if necessary backed up with evidence, otherwise I cannot know how to act and I am left in an extremely difficult situation.

    I think Experian need to start taking this a lot more seriously, very quickly.
    Originally posted by spoovy
    Hi Spoovy,
    I do appreciate your concerns and can understand the potential risks and actions that may need to be taken depending on what the system has found. For me to look in to this further for you I will need you to email me. I understand you may not want to do this due to security concerns however I unfortunately cannot assist you further unless you do.

    Regards Joe
    Official Company Representative
    I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"

    Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen
    • spoovy
    • By spoovy 2nd Jun 16, 4:20 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    Joe

    I don't expect to receive customer service from this forum; I'm on this forum to have a public discussion about what is going on, and to hopefully raise the profile to a point at which Experian start taking it seriously.

    I would like to think your customer service people can deal with this, as that is presumably what they are there for, unfortunately I'm still waiting for a proper answer. I had a phone call on Tuesday telling me that they had no information for me but they were still looking into it, and I've had no contact since.
    • spoovy
    • By spoovy 4th Jun 16, 1:20 PM
    • 22 Posts
    • 1 Thanks
    spoovy
    So, final update hopefully.

    I received an email from Experian on Friday with a pretty thorough explanation of how the alerting system works, what had been found in my case, and the URL where the information had been found (which was not on the 'dark web' as previously claimed). I was able to download the file and crack the hash to obtain the password.

    This is exactly the response I wanted from Experian, so well done to their customer services department. They took their time, but this is obviously not something they generally do so that is understandable. The alerting service was ultimately shown to be very useful as well, as I would not otherwise have known that this password had been compromised.

    But, (and it's a big but) I can now say with 100% certainty that what was claimed in the original alert is *not true*. The password found was not the one I use to access the email account referred to. It was in fact a very low sensitivity password and a simple one to change, as I suspected.

    So if Experian are interested in learning anything from this episode I would say that the service is potentially very useful and I'd like to see it continue. However it is currently worse than useless without further digging from the customer -- as I have been forced to do -- as the correct information is apparently being mangled somewhere between discovery and communication with the customer.

    (one final note would be that the recent communication from GCHQ advising against the unneccesary changing of passwords is also relevant here)
    Last edited by spoovy; 04-06-2016 at 2:09 PM.
  • jamesd
    Disappointing that the site had poor enough security practices to store what I assume was the full hash of the password, so a rainbow table lookup presumably told you what it was with no or low ambiguity. Even for salted hashes it's probably more secure to store only part of the hash so that the number of possible results from a rainbow table check is too large to exhaustively try.

    Thanks for the mention of the GCHQ guidance and they also explain why here.
    • Gorf123
    • By Gorf123 6th Jun 16, 3:52 AM
    • 63 Posts
    • 35 Thanks
    Gorf123
    Wor. A year on and this thread is still active, with nothing relevant from Experian.

    Sriously - all you need to do is replace "The password used to access this email account" with "A password associated with this email account".

    Thanks, everyone, for the replies.
    • NCC1701D
    • By NCC1701D 24th May 17, 1:45 PM
    • 1 Posts
    • 0 Thanks
    NCC1701D
    Hello,

    I got one of the High Risk alerts today saying they had found my email address and the password I use for that account.

    I wondered how they knew it was my current password as I change them every 3 months and have had that account for years.

    I called their customer service to get the answer.

    In short. They don't know if it's my current password. The password is blanked out by the seller who promises to give the password to a buyer for a fee.

    They are suggesting you should change your password just incase. Even if it is an old one.

    I felt the wording was a little misleading in the email. So registered a complain as scare mongering. Making it sound like their service was better than it actually is.

    Anyway. Still best to play on the safer side and change it.
    • sr66uk
    • By sr66uk 24th May 17, 3:19 PM
    • 2 Posts
    • 1 Thanks
    sr66uk
    Experian
    Funny that, you are doing right by changing your password. Bet if you cancel your subscription you get another alert!

    When they alerted me I downloaded a tor browser and done my own searches and nothing came up with my email address (I work in computer security, specifically email)

    They cannot prove they have found anything and will not provide any links to said discovery.

    Their service as far as I am concerned is a scam and scare mongering.

    Best Regards
    • drbosu
    • By drbosu 18th Aug 17, 10:56 AM
    • 1 Posts
    • 2 Thanks
    drbosu
    Huge irritation factor
    Hi there,

    I have had this twice before with Experian and today a third time. The really irritating thing is that there are no details supplied, and as others have said, it's almost certainly not a recent password and the result of an Adobe hack. I work in IT security and whilst it might be highly relevant that my mail address is 'out there', it is highly unlikely that there is a plaintext password out there too - and even if there is, it will have been changed since the first time it was 'discovered' - (which by the way probably means Experian bought the list).

    What really annoys me is that Experian have set themselves up as the arbiters of our credit fate. It is virtually impossible to speak to a human being who makes sense, and the whole thing seems to be designed to frustrate intelligent interaction with us - i.e. the people whose lives they increasingly interfere with. WHY can't I respond myself to this and tell them I have changed my password, that I have multiple email accounts, that I am an IT professional? The clear implication is that this will affect my credit rating adversely - something in which I should have at least the right to reply.

    My overall impression of this company is that they are essentially a perfidious and increasingly unaccountable influence on us all - and what is worse, they extract money from us for the trouble!
    • clarkec321
    • By clarkec321 8th Sep 17, 2:50 PM
    • 10 Posts
    • 2 Thanks
    clarkec321
    What have we found?
    Your email address <REDACTED> and the password you use to access it
    I too have had the above Experian alert

    The wording is incredible

    1. How do Experian know that's the password I use to access my email? Experian don't know my email password, so it's impossible for them to say that

    2. If it's not my email password, it could be another critical bank password (unlikely), password from a service (of high importance), or a throwaway unimportant password of some random forum, blog or other

    Without knowing more info about the supposed password they've found, which Experian say they're unable to provide for 'security' reasons... so there is no action anyone can take about the alert

    Experian really need to provide the password they've found, just like they do the email address, or at least characters from the password because as it stands no one can do anything about it

    And saying the password they found is the one used to access the email is just scaremongering lie
    • seekstris
    • By seekstris 21st Sep 17, 8:46 AM
    • 20 Posts
    • 46 Thanks
    seekstris
    I just got the email today.

    Just an FYI although I am frustrated to I think all they are saying is that they found your email and a password together. This may be for your email account but it may also just be for a random forum. They are not saying that specifically your email is hacked.

    That is one reason that I use a unique password for my email, then I have some sites I use a standard one, and some of the higher important ones I use a password safe.

    I have had this alert 3 times previously, and nothing has ever happened. The first time I reset every password, and the next time I made the decision that I had enough safety precautions and nothing happened then.

    So I do think its worth taking with a pinch of salt
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,985Posts Today

8,272Users online

Martin's Twitter