
Equihax - mzs
https://krypt3ia.wordpress.com/2017/09/14/equihax/
======
3JPLW
Note the new edit on the blog post: They silently corrected the sample data
for Bill Gates, changing his state from WI to WA. Major red flag; if it was
wrong in the original data just keep it that way and release a few more
samples for verification.

~~~
xena
i mean to be fair it got fixed on the onion site.

------
robertelder
Cool, this is good news as it means I might actually be able to find out my
credit score.

I recently sent in an application to Equifax to get my credit score along with
all the security documents, proof of address, passport, drivers license,
registered mail etc. and they rejected my application because I didn't provide
a hydro bill. Unfortunately, I live in an apartment and I don't pay hydro, so
I sent in a copy of the lease agreement instead but that wasn't good enough :(

~~~
vadym909
If its only the score you want, cant you get that from creditkarma for free?

~~~
jlgaddis
You can also get it for free from (at least) American Express and Discover if
you have a credit card from them. I'm sure there are other card issuers that
give it to you for free as well.

~~~
ballenf
And Mint (owned by quicken) so you don't even need to open a new account or
ding your credit. They do, however, serve you ads based on your data -- mostly
credit card offers.

------
gervase
In case anyone else is curious about any ongoing activity (none yet) at the
listed addresses, and didn't feel like transcribing:

[https://blockchain.info/address/1KELNpR9ECN46QaNGxPhoJDL4iqa...](https://blockchain.info/address/1KELNpR9ECN46QaNGxPhoJDL4iqaa7Hgch)

[https://etherscan.io/address/0x8D992F58f3887cCD72A14FE29aD22...](https://etherscan.io/address/0x8D992F58f3887cCD72A14FE29aD22Ed0789f70Ef)

~~~
VMG
let us keep in mind that these balances can be inflated by the final
recipients

------
Ajedi32
I actually kinda hope all the data is made public, as that would (at least
hopefully) force people to stop treating knowledge of someone's SSN as valid
proof of identity, and lead to a better situation overall.

~~~
sixothree
What's your SSN and credit score? Just curious.

~~~
takeda
You missing the point. A single person exposing their SSN right now will
suffer, but if everyone's SSN is accepted the companies would have to
acknowledge that SSN is no longer secret (in fact it never was intended to be
secret).

This whole mess could be trivially fixed by credit bureaus introducing a PIN
for every person and require it for opening a new credit line (issue is
whether they could keep it safe, but at least it would resolve this problem).

They even already have such mechanism in place, which is done through freezing
the file. The problem is that for some crazy reason we are charged when we are
trying to protect ourselves.

~~~
sixothree
You forgot your credit score.

~~~
dx034
The number itself doesn't tell you much. The score of someone who was
constantly indebted can be high as long as they always paid on time. Higher
than for someone who earns >$100k per year and never needed to take on debt.
Obviously very low scores tell you that something's likely wrong (if the data
is correct), but medium to high scores without the credit report don't say
much about a person.

~~~
sixothree
That is after all what we're talking about here.

------
philipodonnell
Maybe the hack occurred on an api reporting server? The examples look like
logs of api requests to something that generates PDF versions of credit
reports, like an API a bank might use to access credit reports.

When you get your report it goes through a process of "generating" the report
which you then download as a PDF. This could be logs from that generation
service.

If the hackers got unrestricted access they may have found the API's logs and
just copied them along with the PDFs?

------
thedevil
If I were the real hacker, I would prove it by leaking information that wasn't
already public.

If I were someone pretending to be the real hacker, I would show a screenshot
of SSNs that I could find with Google (e.g. Kim Kardashian, Donald Trump, and
Bill Gates).

~~~
wyldfire
I think you're right. But if they had leaked information that wasn't public,
we wouldn't have a way to verify it, right?

~~~
ribosometronome
Well, I suppose you could always try applying for a credit card with the
leaked info and seeing if you get approved!

~~~
chias
Doesn't necessarily work. In my late teens I got confused about what my SSN
actually was, and entered it wrong when opening a bank account / credit card.
Worked fine.

I realized my mistake a few years later and went through quite the endeavor to
fix it.

------
Beltiras
I wonder if this will introduce instability in credit for consumers. Could
this actually have long term ramifications for the US economy?

~~~
ryeguy_24
I wonder as well. I think we all forget how important credit reports are in
giving banks comfort to lend (not that this is the only way to do it, but it
seems that this is the current way). If people can default on a
uncollateralized loan with no ramifications, no bank would lend and the credit
engine would shut down.

~~~
hedora
People also forget about of rule of law. I defaulted on my loan?

Sue me.

Want to give me a loan? Search for me in public court records.

~~~
ryeguy_24
If you think about it from the bank's perspective though, why would they lend
you any money if you were likely to default and they would have to sue you to
get money back. That would mean that the cost of your loan would go up for
them and therefore, your borrowing rate goes up tremendously.

Humans don't have an innate right to borrow money. It's a service provided by
financial institutions for a fee. I don't think credit reports are the best
solution (far from it) but they definitely improve your ability to borrow
money, at least if you have a good one. :)

~~~
alasdair_
>Humans don't have an innate right to borrow money. It's a service provided by
financial institutions for a fee.

This would be fine, except those financial institutions get THEIR money from
the fed discount window. If their service was entirely private, that would be
one thing but having the government involved changes the concept of "rights",
especially when the fed loans out money with the express reason that the banks
will loan it out in turn.

~~~
aianus
Their usage of the discount window has to be miniscule compared to customer
deposits, no?

~~~
jessaustin
Over the last decade it's basically their only source of profit.

------
hamburglar1
This looks like B.S. to me. \- Who would store date of birth as a string? \-
If we are stringifying dob why is address still seperated? \- Why are the
credit report reasource Ids in the thousands not 1M +? \- Why is the file size
null but the file is listed with it's mimeType?

I know equifuckingsucks at security but this is a setup that would actually
just be difficult to interact with from a data stand point

~~~
jerf
"Who would store date of birth as a string?"

Enterprise.

"If we are stringifying dob why is address still seperated?"

Enterprise.

"Why are the credit report reasource Ids in the thousands not 1M +?"

Enterprise.

"Why is the file size null but the file is listed with it's mimeType?"

Enterprise.

Be grateful you are in a position to be horrified. I'm currently fighting my
way through a system that is not currently "Enterprise" yet, but was certainly
headed full bore in that direction.

~~~
koolba
Exactly. The data model, and particular data typing, being terrible is more
indicative of it being legit. Not less.

~~~
zwerdlds
Anyone who has to work with the clowns in the credit reporting biz knows that
this data is probably sitting on some COBOL-backed shimmed-out VAX talking to
drum memory storage.

------
sschueller
600 BTC = ~2,111,994 USD

~~~
thephyber
Note: The value of BTC dropped more than 10% in the past 8 hours, so the value
of the ransom just became much more affordable than before, although it's
still higher than the middle of May when Equifax claims the breach began.

~~~
abruzzi
Just an aside, "ransom" is probably not the right word, since I presume they
are not taking money to destroy or not release the data. They're selling the
data to anyone, and probably will be happy to sell the same data many times
over.

------
simik
Instructions for private buy dosn't make sense. Transaction id is public, so
anyone can write them and claim a transaction is theirs.

~~~
shawabawa3
Presumably first person to email gets the private address to buy, so if you're
slow you'll have wasted 0.2BTC

~~~
zwily
They should have had you send a message signed with the source address of the
0.2 to their email.

~~~
yebyen
I was going to say "Nobody would know how to do this" but in reality, it's
probably a bit more like "Not enough people would know how to do this" and if
they're taking increments of 0.2BTC, they're hoping or expecting to get some
real volume.

Making it just hard enough that anyone with a Coinbase account and a credit
card can't just do it without actually running a full node of their own, would
probably be bad for business.

------
Tasboo
This seems odd to say, but if they included a price for just a simple
name+birth date query, there is probably a decent price point people would
actually pay just to know if they are on there. Like if they have even just
half of the names querying for their own identities for like $30 a pop, that'd
be more than what they are asking for for the whole bulk.

~~~
vaishaksuresh
Think of the operational cost involved to satisfy everybody's query.

~~~
spraak
Couldn't it easily be automated? A lot of upfront work but then just
monitoring.

~~~
vaishaksuresh
Running servers takes resources too and in this case the servers need to
support millions of queries.

------
blondie9x
Bitcoin and Etherium are used too much for money laundering. They need to be
regulated. There is also so much energy used to mine the coins. More than many
countries. We need to really think about what we get out of building a money a
laundering technology primarily used on the dark net.

~~~
int_19h
Strong encryption is used too much to coordinate illegal activities, such as
terrorism. It needs to be regulated.

Except, how do you actually intend to regulate it? Enacting a law to do so is
easy. Actually enforcing that law is another matter.

~~~
LambdaComplex
And you know who terrorists recruit? _Children_.

You _do_ care about the children, don't you?

------
paulddraper
> It claims to be the real EQUIFAX hackers, unlike the last darknet site that
> was soon taken down by morons.

I hadn't heard about this last site. How did morons take it down? Or is that
suppose to mean that morons put it up? English...

~~~
uniformlyrandom
Both. Morons put it up, got called on it by non-morons, and then took it down.

------
sschueller
Is those Donald Trump, Kim Kardashian and Bill Gates real SS numbers?

~~~
msumpter
Dunno why, but just surprised that Kim K's credit score with Equifax is 643.
Unrelated, sorry.

~~~
hedora
That makes sense to me.

Having zero debt (and no credit cards) can easily knock your score that low,
even if you have a perfect payment record.

The whole credit score thing is an extortion game:

To the consumer: Want a loan? Buy everything on cash back cards.

To vendors: Don't like the fact that we're upping transaction fees? What
percentage of your customers use credit cards again?

If they actually were worried about your ability to repay a new debt, the fact
that you already have a pile of debt would not _increase_ your score.

~~~
skookum
It's not the pile of debt that increases the score. It's the history of
repaying that debt per its agreed terms that does.

While I'm not a fan of the credit bureau system, I understand the reasoning
behind it. It's an efficient way for creditors to get access to the needed
information. Lacking that, to allow the bank to evaluate your creditworthiness
among other things you'd likely have to provide a list of references of past
creditors and then your new potential creditor would have to validate those
references individually: verify you had credit with them, verify you adhered
to the payment terms, etc.

For better or for worse today instead of an on-demand complete graph we've got
a centralized cache. This serves the needs of the financial players better
(read: cheaper) while putting the PII of consumers at more risk.

~~~
int_19h
The point is that the credit score system is utterly dominated by past credit
(and its repayment), even though other factors (like current wealth and
income) are far more important in practice - and this leads to paradoxical and
absurd situations where someone can be filthy rich, but have low credit score
because they have zero credit history, never having taken a loan.

Many other countries don't have such a system, and creditors use your past and
projected income as a basis for making decisions.

~~~
skookum
> other factors (like current wealth and income) are far more important in
> practice - and this leads to paradoxical and absurd situations

From the perspective of the finance industry, these "absurd situations" are so
far below the level of noise that they are effectively theoretical. If you
want to discuss "in practice": in practice the users of the US credit system
have no "current wealth" worth speaking of (look up the median net worth of US
households), and their ability to maintain their existing debt is the defining
feature of their financial status.

~~~
int_19h
Income is more important than wealth, anyway.

Again, there are many countries - including First World European countries -
that don't have the credit score system, or only have reports on non-payments
(usually govt-run). They seem to be doing just fine.

~~~
skookum
Lenders in the US are just trying to maximize their risk-adjusted profit -
there's no conspiracy here. If income alone was just as good as income + debt
servicing history for making the statistical decisions required to maximize
credit industry profits (decisions like whether or not to lend, at what rate,
at what ratio to income/assets, etc), do you think the lenders would pay the
overhead of the additional useless tracking? Are you suggesting that Equifax &
Co. are pulling a fast one on the US lenders and their armies of actuaries and
after all these years the lenders haven't noticed the uselessness of the
product?

~~~
int_19h
Not at all. My point, rather, is that the credit industry can still function
pretty damn well without having access to aggregated credit history and
scores, and so banning the practice altogether, or severely limiting the
amount of data so collected, in the interests of public good (privacy
protections etc), should be considered a viable option on the table.

------
astura
EDIT: see philipodonnell's reply to this post for an alternative explanation.
I may have jumped the gun.

As far as I know credit scores are not part of credit reports as they do not
show up when you request your credit report. If they were storing "credit
score" as part of your credit report but withholding that information when you
request a copy that would seem to violate the Fair Credit Reporting Act.

It wouldn't really make sense to store a credit score with the report anyways,
it would only make sense to generate it on the fly only when a lender requests
it. I'm assuming that different creditors report credit information on
different days so it would be changing every time a creditor submitted
information on that person which would be multiple times a month for someone
with multiple accounts. And if the credit score algorithm was updated they
would have to recalculate the "credit score" field on the entire database!
This wouldn't really make sense from a technical perspective.

Furthermore, there's not just one "credit score," there's different algorithms
for coming up with a credit score. One creditor may request FICO 8 and another
one may request VantageScore 3.0 on the same day. Then another comes by and
wants FICO 5. So even if they saving a credit score in the database I wouldn't
think that they would have a field labeled as a generic "credit score" without
any qualifier. It would be "FICO 8 score" or whatever algorithm was used to
generate the score.

There's also other problems, I don't have my Equifax report in front of me
right now but credit bureaus store alternative/former names which aren't
included here. Like for me my reported names are FirstName LastName; FirstName
MiddleInital LastName; and FirstName MiddleName LastName. All because
different creditors reported my name slightly differently. If you change your
name (like Kim Kardashian did - she's Kim Kardashian West now) it would report
both your former name(s) and current name(s). I don't see any indication that
this sort of information is included.

Therefore I very seriously doubt the authenticity.

(From a technical perspective "pdf" is not a MIME type, the MIME type of PDF
files is "application/pdf")

~~~
philipodonnell
You're assuming this is a database dump. It looks more like logs from the
service that creates PDF versions of reports for download. That would have a
more simplistic data structure that might look like this.

~~~
smsm42
If it's a service request log, why service would have field requestId and then
set it to null? Of course, you can expect anything from people that have
admin/admin security on their employee portal, but looks weird. Also, street
data have no field for apartment number - does nobody live in multi-tenant
buildings? Of course, there may be optional field for this, but given how many
null fields there are, it doesn't look like this API does optional fields. In
summary, API response format could be anything, as I said, especially from
people who do admin/admin, but on the fact of it it looks questionable.

Also, why credit reports for Donald Trump and Kim Kardashian were created at
the same second and then modified at the same second? Probability of this
happening as a result of natural client activity - i.e. just watching the logs
of the active service - is zero. If the attackers had access to this service
and initiated the requests, then why not show the resulting PDFs, that they
supposedly also must have had access to if they had access to the API?

~~~
smsm42
Also, quick search shows that SSNs of Trump, Kardashian and Gates has been
published before. Which means this sample contains only the information that
is in the public sources already, or is meaningless (like IDs). Thus, at least
the JSON dump thing proves exactly nothing. Of course, if they published a
previously unpublished SSN, we'd have hard time verifying it too, so not sure
what could be a good proof here...

~~~
pbadenski
Presumably if someone wanted to sell this data for big bucks they would have
found a way to provide a sufficient and satisfying proof.

------
ringaroundthetx
Might as well scrap AML/KYC laws now that everyone can open any account
anywhere with someone's ID

------
weatherlight
[https://trustedidpremier.com/eligibility/enroll.html](https://trustedidpremier.com/eligibility/enroll.html)

^ you can see if you or any of the above mentioned people have been
compromised using this tool.

~~~
jnbiche
Yeah, at best, that tool from Equifax is unreliable. People have put in fake
users and SSN and still it's told them they were affected. At worst, it's just
another way to get customers to sign up for a new service.

~~~
g051051
It's asking for the last 6 digits of SSN and name. Considering that is 1
million unique numbers, out of 146 million potentially compromised accounts,
you could probably put any number in there and be reasonably sure of getting a
hit.

~~~
jnbiche
This is a very good point and may explain this phenomenon. However, I'm not
100% sure that those numbers are equally distributed. Still, it may well
account for the fact that random numbers still resulted in a hit. Good point.

------
artursapek
Posting our president's SSN on your blog after obtaining it from a darknet
page... priceless.

~~~
sova
I applaud your concise cleverness, even if this is not the time nor the place!

------
spdustin
The social security number for Donald Trump in their sample was issued around
1963. Seems fishy.

~~~
jcwayne
He would have been around 17. That's reasonable, given that many/most didn't
get an SSN back then until they started working.

~~~
pbarnes_1
The SSA sends you one at birth (now?).

~~~
Casseres
If someone applies for it on the baby's behalf. It's still an optional program
as far as I know.

If you don't have a SSN, you'll need an ITIN for taxes.

(ITIN - Individual Taxpayer Identification Number)

------
princetontiger
This really pisses me off. It's only a matter of time before some random
person opens up a cellphone, utlity, or bank account... or worse. Completely
messed up.

Everyone American should be scared shitless at this incompetence. It's going
to cost everyone thousands of dollars over their lives for credit fraud
protection. Just another expense to add.

~~~
jimktrains2
It's also extortion. "Please pay us money to solve the massive problem we
created." I don't know how it's legal.

~~~
13of40
Not saying it would be great in the short term, but I wonder how it would play
out if the entire database was made widely available. It seems like it would
be a lot harder to enforce a debt if the borrower was originally identified
based on "secrets" that were well known to be public at the time. Maybe then
they would come up with a better authentication scheme than "what color was
your first car?"

~~~
secstate
It would be an awful lot like the end of Fight Club. Destroy credit records,
or reduce them to meaningless, either way the economy would collapse.

People can complain all they want about credit, but the reality is that it
exists as a financial service because loaning things with interest is probably
older than agriculture in human society. We've just gotten very good at risk
assessment, and this going public would ruin our ability to assess risk for
years.

Honestly, the credit industry ought to be the ones raging against Equifax's
fuck up. If only all the other credit bureaus weren't on eggshells hoping
they're not next.

~~~
ProblemFactory
Credit and existing credit records would still be easily available.

The only change would be that you need to present photo ID in person to open
new credit lines... which doesn't seem that unreasonable really.

