Experian email and password alert

spoovy

Joe

I don't expect to receive customer service from this forum; I'm on this forum to have a public discussion about what is going on, and to hopefully raise the profile to a point at which Experian start taking it seriously.

I would like to think your customer service people can deal with this, as that is presumably what they are there for, unfortunately I'm still waiting for a proper answer. I had a phone call on Tuesday telling me that they had no information for me but they were still looking into it, and I've had no contact since.

spoovy

So, final update hopefully.

I received an email from Experian on Friday with a pretty thorough explanation of how the alerting system works, what had been found in my case, and the URL where the information had been found (which was not on the 'dark web' as previously claimed). I was able to download the file and crack the hash to obtain the password.

This is exactly the response I wanted from Experian, so well done to their customer services department. They took their time, but this is obviously not something they generally do so that is understandable. The alerting service was ultimately shown to be very useful as well, as I would not otherwise have known that this password had been compromised.

But, (and it's a big but) I can now say with 100% certainty that what was claimed in the original alert is *not true*. The password found was not the one I use to access the email account referred to. It was in fact a very low sensitivity password and a simple one to change, as I suspected.

So if Experian are interested in learning anything from this episode I would say that the service is potentially very useful and I'd like to see it continue. However it is currently worse than useless without further digging from the customer -- as I have been forced to do -- as the correct information is apparently being mangled somewhere between discovery and communication with the customer.

(one final note would be that the recent communication from GCHQ advising against the unneccesary changing of passwords is also relevant here)

jamesd

Disappointing that the site had poor enough security practices to store what I assume was the full hash of the password, so a rainbow table lookup presumably told you what it was with no or low ambiguity. Even for salted hashes it's probably more secure to store only part of the hash so that the number of possible results from a rainbow table check is too large to exhaustively try.

Thanks for the mention of the GCHQ guidance and they also explain why here.

Gorf123

Wor. A year on and this thread is still active, with nothing relevant from Experian.

Sriously - all you need to do is replace "The password used to access this email account" with "A password associated with this email account".

Thanks, everyone, for the replies.

NCC1701D

Hello,

I got one of the High Risk alerts today saying they had found my email address and the password I use for that account.

I wondered how they knew it was my current password as I change them every 3 months and have had that account for years.

I called their customer service to get the answer.

In short. They don't know if it's my current password. The password is blanked out by the seller who promises to give the password to a buyer for a fee.

They are suggesting you should change your password just incase. Even if it is an old one.

I felt the wording was a little misleading in the email. So registered a complain as scare mongering. Making it sound like their service was better than it actually is.

Anyway. Still best to play on the safer side and change it.

sr66uk

Funny that, you are doing right by changing your password. Bet if you cancel your subscription you get another alert!

When they alerted me I downloaded a tor browser and done my own searches and nothing came up with my email address (I work in computer security, specifically email)

They cannot prove they have found anything and will not provide any links to said discovery.

Their service as far as I am concerned is a scam and scare mongering.

Best Regards

drbosu

Hi there,

I have had this twice before with Experian and today a third time. The really irritating thing is that there are no details supplied, and as others have said, it's almost certainly not a recent password and the result of an Adobe hack. I work in IT security and whilst it might be highly relevant that my mail address is 'out there', it is highly unlikely that there is a plaintext password out there too - and even if there is, it will have been changed since the first time it was 'discovered' - (which by the way probably means Experian bought the list).

What really annoys me is that Experian have set themselves up as the arbiters of our credit fate. It is virtually impossible to speak to a human being who makes sense, and the whole thing seems to be designed to frustrate intelligent interaction with us - i.e. the people whose lives they increasingly interfere with. WHY can't I respond myself to this and tell them I have changed my password, that I have multiple email accounts, that I am an IT professional? The clear implication is that this will affect my credit rating adversely - something in which I should have at least the right to reply.

My overall impression of this company is that they are essentially a perfidious and increasingly unaccountable influence on us all - and what is worse, they extract money from us for the trouble!

clarkec321

What have we found?
Your email address <REDACTED> and the password you use to access it

I too have had the above Experian alert

The wording is incredible

1. How do Experian know that's the password I use to access my email? Experian don't know my email password, so it's impossible for them to say that

2. If it's not my email password, it could be another critical bank password (unlikely), password from a service (of high importance), or a throwaway unimportant password of some random forum, blog or other

Without knowing more info about the supposed password they've found, which Experian say they're unable to provide for 'security' reasons... so there is no action anyone can take about the alert

Experian really need to provide the password they've found, just like they do the email address, or at least characters from the password because as it stands no one can do anything about it

And saying the password they found is the one used to access the email is just scaremongering lie

seekstris

I just got the email today.

Just an FYI although I am frustrated to I think all they are saying is that they found your email and a password together. This may be for your email account but it may also just be for a random forum. They are not saying that specifically your email is hacked.

That is one reason that I use a unique password for my email, then I have some sites I use a standard one, and some of the higher important ones I use a password safe.

I have had this alert 3 times previously, and nothing has ever happened. The first time I reset every password, and the next time I made the decision that I had enough safety precautions and nothing happened then.

So I do think its worth taking with a pinch of salt

takman

seekstris wrote: »

I just got the email today.

Just an FYI although I am frustrated to I think all they are saying is that they found your email and a password together. This may be for your email account but it may also just be for a random forum. They are not saying that specifically your email is hacked.

That is one reason that I use a unique password for my email, then I have some sites I use a standard one, and some of the higher important ones I use a password safe.

I have had this alert 3 times previously, and nothing has ever happened. The first time I reset every password, and the next time I made the decision that I had enough safety precautions and nothing happened then.

So I do think its worth taking with a pinch of salt

Aswell as using a unique password for email and other sites make sure you enable two factor authentication where possible (most big email providers offer this).

Also STOP paying experian a monthly fee. You are just throwing money down the drain there is no need to get instant updates to your credit report when monthly updates are free.