Experian email and password alert
Options
Comments
-
For what it's worth, I've just had one of these messages from experian for the first time and have had their web monitoring and/or full access for a few years on and off.0
-
Hi Spoovy and Villagio,
I understand that you have been contacted through our Web Alert service, and appreciate that this can be concerning.
The Web alert service is part of CreditExpert membership.
As a CreditExpert member you can choose what information you would like to be monitored, such as an email address or passport details. We will then scan the internet for this information, and if it is appears in any unsecure or suspicious locations we will send you an alert.
If you don’t want to use the service then you are able to turn it off by clicking on the Web Monitoring Settings section when logged into CreditExpert.
We will never ask for your password, and we do not test any that are found, we will just notify you that the information has been located and suggest possible actions to protect it.
For security we are not able to provide you with any password that have been associated with the email or the exact location of the information.
You can find out more about the service here.
Kind regards
Neil“Official Company Representative
I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"
Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen0 -
Neil
The alert reads, exactly:
'What have we found?
Your email address <redacted> and the password you use to access it
Why do I need to know?
They are being sold together online by illegal black market communities. This puts you at high risk of becoming a victim of fraud.'
This is an enormous claim to make without any evidence to back it up, particularly given the high degree of security that I have placed this password under. If the claim is true then it will require a significant investigation into how the password was leaked, and it will potentially impact other organisations which may have to do the same.
I need to know with some urgency if this claim really is true. There are any number of ways you can prove it to me in complete security, if it is true.0 -
So after 40 minutes on the phone to Experian and speaking to three different people, I'm none the wiser. They refuse to tell me exactly what they have found, or where they have found it.
They have gone off to have a think about it and say they will get back to me.
I'm starting to think that what they have actually found is the email address in question and a string of characters associated together. They have then jumped to the conclusion that this is the password used to access the mail service. This would be a completely ridiculous assumption of course, given the number of websites, applications etc. which take an email address as a user ID.
I await the call with more information.0 -
So after 40 minutes on the phone to Experian and speaking to three different people, I'm none the wiser. They refuse to tell me exactly what they have found, or where they have found it.
They have gone off to have a think about it and say they will get back to me.
I'm starting to think that what they have actually found is the email address in question and a string of characters associated together. They have then jumped to the conclusion that this is the password used to access the mail service. This would be a completely ridiculous assumption of course, given the number of websites, applications etc. which take an email address as a user ID.
I await the call with more information.
Hi Spoovy,
I’m sorry we have been unable to provide you with the password that has been found through our Web monitoring alerts system.
I appreciate your concerns and from your posts I am lead to believe the system has found a username which is in this case is your email address and a password alongside this. This has been found on the Dark Web which cannot be accessed through ordinary browsers and contains a lot of illegal web space, as such the system that scans the web does not return us the location or password that has been found for security reasons. If the system finds the data on a website that is on the open web it would provide you with the location but in this instance due to where it’s been found it’s not returned for security reasons.
The alert is to make you aware when information is found, the ‘password’ the system found may well be a string of text that isn’t related to your actual passwords. When the system does find data it believes to be your own, we feel it is important to make you aware for your own safety.
I will pass your feedback on to our Web Monitoring team about the wording of the email and alert, but we do feel our customers safety is a priority so when the system does find data is believes could result in fraud we will make the customer aware.
We always recommend changing your passwords when an alert like this is found, as it may well be your actual password found. For more tips on staying safe from fraud you can check out of ID fraud website here.
If you have any further queries about this you can email me directly on uksocialsupport@experian.com just include your reference number, name, dob & address for security.
Regards
Joe“Official Company Representative
I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"
Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen0 -
Joe,
The wording of the message seems very poor, apparently falsely claiming a security problem that hasn't happened and misleading people away from the real potential problem.
"What have we found?
Your email address <redacted> and the password you use to access it"
That is a clear claim that the email address and the password used to access the email server have been found together. Appropriate reaction to receiving that and taking it as a genuine report would be to change the password at the email service provider and notify the email service provider that their system may have a security vulnerability that has allowed the details of their accounts to be accessed. That is, an assertion that say gmail, or yahoo or some other mail service provider has a significant security problem that needs very urgent action by them because millions of their customers may be affected. While one ethical action by Experian is to tell the Experian customers, telling the email service provider is also necessary in this situation.
But that probably isn't really what was found and Google, Yahoo or whoever don't need to jump to immediate action in response to the Experian report.
The possible real problem is probably that the email address and possible password used to log in to some web site has been found. Since the email is saying that the problem is with the email server there's no reason to change these other passwords but that is what would be required if this is the cause of the email being present.
But it gets worse. It's quite common for people to use one email address with different passwords at different sites. If the site has a vulnerability all that may happen is that any new password will be compromised soon after it is supplied to the site with the problem. Not going to do a lot to improve the security position of the Experian customer when their new password shows up on a list of recently changed and hence higher value passwords.
To make the message truly actionable in some sensible way it is necessary to provide sufficient information to identify the site that may have a security vulnerability. When a shared email address is in use that requires disclosing some part of the password or, less desirably, providing a way to check whether a list of hundreds of possible passwords used at hundreds of different sites is what was found. Hopefully it's clear why knowing something about the supposed password is needed, given the number of possible passwords to check or change.
Good idea to provide the service, but it's being let down on the actionability by the customer side.0 -
Joe,
The wording of the message seems very poor, apparently falsely claiming a security problem that hasn't happened and misleading people away from the real potential problem.
"What have we found?
Your email address <redacted> and the password you use to access it"
That is a clear claim that the email address and the password used to access the email server have been found together. Appropriate reaction to receiving that and taking it as a genuine report would be to change the password at the email service provider and notify the email service provider that their system may have a security vulnerability that has allowed the details of their accounts to be accessed. That is, an assertion that say gmail, or yahoo or some other mail service provider has a significant security problem that needs very urgent action by them because millions of their customers may be affected. While one ethical action by Experian is to tell the Experian customers, telling the email service provider is also necessary in this situation.
But that probably isn't really what was found and Google, Yahoo or whoever don't need to jump to immediate action in response to the Experian report.
The possible real problem is probably that the email address and possible password used to log in to some web site has been found. Since the email is saying that the problem is with the email server there's no reason to change these other passwords but that is what would be required if this is the cause of the email being present.
But it gets worse. It's quite common for people to use one email address with different passwords at different sites. If the site has a vulnerability all that may happen is that any new password will be compromised soon after it is supplied to the site with the problem. Not going to do a lot to improve the security position of the Experian customer when their new password shows up on a list of recently changed and hence higher value passwords.
To make the message truly actionable in some sensible way it is necessary to provide sufficient information to identify the site that may have a security vulnerability. When a shared email address is in use that requires disclosing some part of the password or, less desirably, providing a way to check whether a list of hundreds of possible passwords used at hundreds of different sites is what was found. Hopefully it's clear why knowing something about the supposed password is needed, given the number of possible passwords to check or change.
Good idea to provide the service, but it's being let down on the actionability by the customer side.
Hi James,
I can totally understand his concerns based on the email alert received and can appreciate that Spoovy and others customers who have received this message would be annoyed that in these cases the location and what password has been found cannot be provided.
The email alert won't have said the email server password was found but just that the email address and password used to access this has been found. I agree these emails are not very clear and could be worded better. I have passed the feedback about this myself to the team.
If Spoovy emails me directly with their membership details I will raise this with our Web monitoring product team directly to see if they are able to provide any further details on what the system found due to the nature of the case.
Hopefully it is something as simple as his email address being on some dark web spam list and nothing that could cause any considerable harm, but we do send these alerts in this way so that customers can take them seriously when they arrive.
Regards
Joe“Official Company Representative
I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"
Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen0 -
Joe
Email is not a secure way to transmit sensitive information. I am a little concerned that Experian keep asking me to do this.
Regarding the main subject, unfortunately, I feel you are still not really grasping the problem. You stated in your last post directed at me:..the ‘password’ the system found may well be a string of text that isn’t related to your actual passwords [but] We always recommend changing your passwords when an alert like this is found, as it may well be your actual password found.
This assumes that changing passwords is a simple thing to do; a precautionary measure with no associated costs. In many cases this is true but in many it is not. In my particular case if the claim made in the alert were true it could mean that an encrypted password database has been leaked and cracked, compromising hundreds of passwords used at companies I do work for as well as my own personal ones. I would have to carry out an investigation into how this database became compromised. This would at the very least cost me a lot of time (and therefore money), and at worst, well I'd rather not think about it.
I'll use a non-ICT analogy. If a company contacted you out of the blue to tell you they had found a set of keys in the possession of a known criminal, along with a map with your business premises circled on it, but they refused to provide any evidence of this claim, what would you do?- Spend tens of thousands paying to have all your locks changed and a new security system put in? No you would not, because quite apart from the cost the real issue would be how did this criminal come by your keys in the first place? Is someone culpable? Was someone you trust involved? And what if you did spend tens of thousands on these measures, sacked your head of security as a precaution, and then found out that the claim was a hoax all along? Well I need not spell out the implications there.
- Perhaps you would dismiss it as a hoax and sleep soundly afterwards? Again, no you would not, as you could never be sure it was a hoax and your insurance company would probably look very dimly on your inaction.
Hopefully you're seeing my point. The claim the alert makes is so significant that it must be explained in adequate detail, and if necessary backed up with evidence, otherwise I cannot know how to act and I am left in an extremely difficult situation.
I think Experian need to start taking this a lot more seriously, very quickly.0 -
Those two phrases have the same meaning in this context: the password the customer uses to access the email server to collect email for that email address.Experian_company_representative wrote: »The email alert won't have said the email server password was found but just that the email address and password used to access this has been found.0 -
Joe
Email is not a secure way to transmit sensitive information. I am a little concerned that Experian keep asking me to do this.
Regarding the main subject, unfortunately, I feel you are still not really grasping the problem. You stated in your last post directed at me:
This assumes that changing passwords is a simple thing to do; a precautionary measure with no associated costs. In many cases this is true but in many it is not. In my particular case if the claim made in the alert were true it could mean that an encrypted password database has been leaked and cracked, compromising hundreds of passwords used at companies I do work for as well as my own personal ones. I would have to carry out an investigation into how this database became compromised. This would at the very least cost me a lot of time (and therefore money), and at worst, well I'd rather not think about it.
I'll use a non-ICT analogy. If a company contacted you out of the blue to tell you they had found a set of keys in the possession of a known criminal, along with a map with your business premises circled on it, but they refused to provide any evidence of this claim, what would you do?- Spend tens of thousands paying to have all your locks changed and a new security system put in? No you would not, because quite apart from the cost the real issue would be how did this criminal come by your keys in the first place? Is someone culpable? Was someone you trust involved? And what if you did spend tens of thousands on these measures, sacked your head of security as a precaution, and then found out that the claim was a hoax all along? Well I need not spell out the implications there.
- Perhaps you would dismiss it as a hoax and sleep soundly afterwards? Again, no you would not, as you could never be sure it was a hoax and your insurance company would probably look very dimly on your inaction.
Hopefully you're seeing my point. The claim the alert makes is so significant that it must be explained in adequate detail, and if necessary backed up with evidence, otherwise I cannot know how to act and I am left in an extremely difficult situation.
I think Experian need to start taking this a lot more seriously, very quickly.
Hi Spoovy,
I do appreciate your concerns and can understand the potential risks and actions that may need to be taken depending on what the system has found. For me to look in to this further for you I will need you to email me. I understand you may not want to do this due to security concerns however I unfortunately cannot assist you further unless you do.
Regards Joe“Official Company Representative
I am an official company representative of Experian. MSE has given permission for me to post in response to queries about the company, so that I can help solve issues. You can see my name on the companies with permission to post list. I am not allowed to tout for business at all. If you believe I am please report it to forumteam@moneysavingexpert.com This does NOT imply any form of approval of my company or its products by MSE"
Posts by James Jones, Neil Stone, Stuart Storey & Joe Standen0
Categories
- All Categories
- 343.2K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608K Mortgages, Homes & Bills
- 173.1K Life & Family
- 247.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards