Hacker News new | comments | show | ask | jobs | submit login
Equihax (krypt3ia.wordpress.com)
396 points by mzs 11 months ago | hide | past | web | favorite | 202 comments

Note the new edit on the blog post: They silently corrected the sample data for Bill Gates, changing his state from WI to WA. Major red flag; if it was wrong in the original data just keep it that way and release a few more samples for verification.

i mean to be fair it got fixed on the onion site.

Cool, this is good news as it means I might actually be able to find out my credit score.

I recently sent in an application to Equifax to get my credit score along with all the security documents, proof of address, passport, drivers license, registered mail etc. and they rejected my application because I didn't provide a hydro bill. Unfortunately, I live in an apartment and I don't pay hydro, so I sent in a copy of the lease agreement instead but that wasn't good enough :(

Score or report? You're entitled to a copy of your credit report annually from each credit bureau, but not the score.

I believe lenders typically use a score computed by s third party - often the "FICO Score," from Fair Isaac.

It is common for them to refuse to give you the legally required annual credit report because the data they use to verify your identity is wrong.

Presumably, if you had your record from the dump, you could type in the wrong answers they are looking for and get your free equifax report.

Usually, only one or two of the big three have a poison record that blocks access, so I guess this would only reliably unlock equifax reports.

Same here.. I applied for a loan and they found that Equifax doesn't even have my report (although the other two do). After countless phone calls they agreed to start the investigation and then the hack happened. The whole concept of private credit bureaus (that to multiple ones whose data dont match up) is fucked up. I think the federal govt should step in an put a stop to this.

The federal government is the reason it is this way-- the FCRA "Fair credit reporting act" is what give this bureaus virtual immunity from liability for propagating false information and the like. This is a great example of where regulation is anti-consumer because the regulations that pretend to protect consumers provide very little protection for consumers and a great deal of protection for the CRAs.

If its only the score you want, cant you get that from creditkarma for free?

Yes. They also have your credit history.

And, critically, a decent modern website/app and good enough customer support.

You can get a "FAKO" score from CreditKarma.

FYI, "FAKO" is VantageScore 3.0. It's colloquially called FAKO because 90% of lenders use some variation of FICO instead.

Regardless if it's FAKO or FICO score that you are looking at, they are calculated on the same credit history in your credit report (as far as I know). So, even if the scores are calculated in different ways it's reasonable to expect a high VantageScore 3.0 score will also show as a high FICO score too, even if the numbers aren't exact.

Does anyone know the specific differences in how these two scores are calculated?

FICO is an acronym for Fair, Isaac, and Company. Their "FICO Score" is a piece of software that they make and sell. I'm sure the details are a little more complicated than I'm making it sound, but it's essentially software which is sold. Just like any software, there are different versions - and it's possible to get stuck on an old version if you don't pay for updates. There's FICO 98 (from 1998), FICO 04 (2004), FICO 8 (2008) and FICO 9 (2014). [1][2].

The FICO Software is a scoring engine which will produce an output based on the input you provide it. The three big credit bureaus collect data about you and feed it into the FICO Score software. Even if they all have the same version of the FICO software, because each bureau might have slightly different data on you, your score may be different from each one. Presumably, the FAKO companies also have the FICO Score software, but a much more limited set of data to feed into it - thus making the score less reliable to someone looking to issue you a loan (Big Bank).

At least, that is my understanding of how it works - admittedly, I may be mistaken and welcome corrections.

[1] https://en.wikipedia.org/wiki/Credit_score_in_the_United_Sta... [2] http://www.fico.com/en/02-02-2015-fico-makes-additional-fico...

I believe the FICO algorithm is not public, so there would be no way for us to know exactly how they calculate our scores.

We only know the factors that go in to the algorithm, and the score that comes out. Basically, a black box.

I've read in another thread here on HN that we also don't know the factors that go in. Someone listed off things like company title, marital status, # kids, car make/model kind of stuff. No idea if they were full of BS, but there's no requirement that the score is based solely on items in your credit report. We can probably (hopefully?) be sure that no race or race-correlated factors are included. (And same for other protected classes.)

I remember at uni teacher asking why people with larger shoes are more likely to default?

Answer was: Men tend to have larger feet.

I guess even if you ignore race, sex and other factors, data will seep in eventually anyways.

You can also get it for free from (at least) American Express and Discover if you have a credit card from them. I'm sure there are other card issuers that give it to you for free as well.

And Mint (owned by quicken) so you don't even need to open a new account or ding your credit. They do, however, serve you ads based on your data -- mostly credit card offers.

Citibank card holder here - getting free FICO via my online account.

Correct. Chase offers it as well.

Does creditkarma sell your credit information to people when you sign up with them?

How else would they make enough money to exist?

Bank of America now offers it for free too...

CreditKarma does it for free, if you're in the US (no idea about outside the US). So does mint.com. So do many other credit card companies. I now have 6 or 7 credit scores, all curiously different (though within certain range of each other).

Because there are lots of different scoring algorithms. There are several different ones from FICO themselves (so there is no single one FICO score), and they have several competitors that have different algorithms. Even when using the same algorithm, you will have a different score for each credit report.

True but my experience they are all within the same range. If you get "good" score on one of them, you'd get the same on others. They may emphasize slightly different things but there's not that much difference. Also, nobody really checks that score with a point accuracy - there are ranges, but I'd be very surprised if the difference within range, say 750 to 765, means too much.

Yeah, they are usually are similar. The thing is, for many underwriters, if you ate even 1 point below their range on even one report, you will be rejected. Usually there are things most consumers can do to boost their score by a few points, though, reasonably quickly.

0.2 BTC is currently >600 USD. There's cheaper way to get a credit score.

Well yeah, but you can get your credit score and that of thousands of other people!

> Cool, this is good news as it means I might actually be able to find out my credit score.


the brighter side is the side of genius

In case anyone else is curious about any ongoing activity (none yet) at the listed addresses, and didn't feel like transcribing:



let us keep in mind that these balances can be inflated by the final recipients

I actually kinda hope all the data is made public, as that would (at least hopefully) force people to stop treating knowledge of someone's SSN as valid proof of identity, and lead to a better situation overall.

I really hope that's the outcome here. I also think this should pave the way for real legal consequences for moronic data security. Individuals are banned from using computers when prosecuted, what about "no internet for companies who've proven they can't use it responsibly"

> real legal consequences for moronic data security

This could go really wrong if we let non-tech savvy regulators dictate tech stacks, specific hashing/encryption tools. Could work well, but just has a lot of potential to go very wrong.

Given that risk, as much as I don't want to live in an overly litigious society, letting the risk of lawsuits drive good security may be preferable to putting security in the hands of a few faceless government officials who themselves face no repercussions for getting the regs wrong.

"This could go really wrong if we let non-tech savvy regulators dictate tech stacks, specific hashing/encryption tools. Could work well, but just has a lot of potential to go very wrong."

Engineers, capitalism, private business have utterly, completely, fully and in totality failed.

This is not a little failure. Not a medium one. Not a large one.

This is a foundational, cataclysmic failure of the most epic proportion.

I think the time for voluntary private action has passed.

If developers, their managers, their stakeholders, and their shareholders took security and privacy remotely seriously, we would not be here.

We are here.

It is time to admit the full and complete failure of private software companies to protect data and privacy, and time for government to create a criminal schedule for management and developers who perpetuate criminal negligence.

I believe only 2 things will solve this:

1) Massive financial loss for shareholders -- they speak 1 language, US Dollars. If we say a US Citizens data is worth $100,000, then the fines would be large enough to literally destroy any firm who dared play loose with security. If there is no existential risk, there is zero motivation for compliancy. Only existential risk matters to shareholders. The rest is Cost of Doing Business.

2) Criminal liability for management and developers of products which violate security and privacy due to criminal negligence

Without this, you can all but guarantee that your full identity is kept in plain-text and has already been stolen.

I agree that we should work to determine if there was criminal negligence and prosecute to the highest degree possible, but I find it laughable that you talk about how engineers, capitalism, and private business have completely failed.

The DNC was hacked. The FBI and CIA have had their web sites hacked. The OPM had >22 million people's personal info stolen by Chinese hackers. The NSA itself has had major incidents where essentially cyber weapons were leaked. Those are just SOME of the ones we know about.

Let's stop pretending like government is any more capable, or even as capable, of protecting data than competent corporations. When was the last time Facebook or Google had massive data breach? It's not about 'the corporations maaan' it's about competency and the limited consequences of screwing up so bad.

Exactly this. I don't know where people get the idea that government would do this any better. I think the best regulators could do is make SSNs obsolete. A solution where knowing every possible private data point about a person is useless when attempting to steal someone's identity.

Indeed, I have had my personal data compromised more by government agencies than private (at least, as far as I've been officially/personally notified).

Problem is, on what basis is a person's "private data" worth $100,000, or will the exposure thereof cause damages of $100,000? The average person's entire net worth is only a fraction of that.

There is such a thing as punitive damages but in most civil cases a company or individual is not going to be held liable for more than actual damages.

> The average person's entire net worth is only a fraction of that

Banks are usually happy to provide you with a credit line many times your net worth if you have a reasonable credit score.

What is "really wrong" in your definition? I would say this breach is about as "really wrong" as you can get.

The threat of lawsuits already existed before this hack. Look at the multi-million payout Target paid after their credit card breach (and they say it cost their company ~200mil). So that was STILL NOT ENOUGH to change Equifax's behavior.

Improved government oversight/regulation of this industry is more than overdue. This is a national security issue and we should not have our data (and the means of protecting it) held hostage by private companies.

> Individuals are banned from using computers when prosecuted

Who is banned from using computers? You mean, in prison?

Kevin Mitnick, famously, ages ago. Not sure if anyone else has ever had that.

Samy Kamkar too for writing the Samy MySpace worm.

From Wiki:

>Samy Kamkar, the author of the worm, was raided by the United States Secret Service and Electronic Crimes Task Force in 2006 for releasing the worm.[4] He entered a plea agreement on January 31, 2007 to a felony charge.[5] The action resulted in Kamkar being sentenced to three years probation with only one computer and no use of internet,[6] 90 days community service, and $15,000-$20,000 USD in restitution, as directly reported by Samy Kamkar himself on "Greatest Moments in Hacking History" by Vice Media's video website, Motherboard.

Some convicted hackers have been banned from the internet, if ever caught using it they go back to prison.

There have been cases of people being banned from using any personal computer.

It can be a punishment for certain crimes- or as an extended punishment after jail. Things like stalking where a computer was a primary method, valid threats made on a computer, etc.

Just last month, http://www.bbc.com/news/technology-40833951 "The conditions of his bail include him not being allowed to access the internet"

Samy. He was banned for a while IIRC

Mostly OT: A man who tattooed himself before the advent of Internet/online databases/Google



> Bouk, Dan. How Our Days Became Numbered: Risk and the Rise of the Statistical Individual (pp. 232-233). University of Chicago Press. Kindle Edition.

> In the case of Lange’s unemployed lumber worker, we find a man who might have opted for a tattoo because it could identify him in the case of an accident. After all, he did dangerous work. Or, as he paid money into the Social Security system, he may have wanted to ensure he’d one day be able to redeem his annuity, that he would not forget his number. Neither explanation, however, encompasses his evident pride in his number, his willingness to show off for Lange (who undoubtedly encouraged him, maybe posed him).

> Was he proud to have been, as the New York Times had put it, a “holder” of a Social Security number? Possessing such a number meant a promise of future income, protection for himself, and— after the just-completed 1939 amendments that included expanded support for families— protection for his wife and future children against his old age or death. 76 Maybe he felt pride in the New Deal, in a government committed to him and his family, and advertised that pride on his bicep. Or perhaps, his tattoo displayed a workingman’s pride in his gender and class identities. Possessing such a number signaled his status as an industrial worker. Such status mattered in a bean-picking camp where most pickers had been excluded from eligibility for Social Security. Possessing an account set this unemployed lumber worker apart, probably even from his bean-picking wife.

I hope this is fake and some would-be scammers get scammed by a scammer.

Me too, the current system has a steady leak that cannot be patched. Sink the ship and lets build something better.

This is some Mr. Robot / Fight Club shit. Get it over with.

What's your SSN and credit score? Just curious.

You missing the point. A single person exposing their SSN right now will suffer, but if everyone's SSN is accepted the companies would have to acknowledge that SSN is no longer secret (in fact it never was intended to be secret).

This whole mess could be trivially fixed by credit bureaus introducing a PIN for every person and require it for opening a new credit line (issue is whether they could keep it safe, but at least it would resolve this problem).

They even already have such mechanism in place, which is done through freezing the file. The problem is that for some crazy reason we are charged when we are trying to protect ourselves.

You forgot your credit score.

The number itself doesn't tell you much. The score of someone who was constantly indebted can be high as long as they always paid on time. Higher than for someone who earns >$100k per year and never needed to take on debt. Obviously very low scores tell you that something's likely wrong (if the data is correct), but medium to high scores without the credit report don't say much about a person.

That is after all what we're talking about here.

This seems a bit like replying to a suggestion that the world would be a better place without nuclear weapons by telling the other person to unilaterally disarm.



New Hampshire, eh

Donald Trump's SSN

Only if you're old enough.

Maybe the hack occurred on an api reporting server? The examples look like logs of api requests to something that generates PDF versions of credit reports, like an API a bank might use to access credit reports.

When you get your report it goes through a process of "generating" the report which you then download as a PDF. This could be logs from that generation service.

If the hackers got unrestricted access they may have found the API's logs and just copied them along with the PDFs?

If I were the real hacker, I would prove it by leaking information that wasn't already public.

If I were someone pretending to be the real hacker, I would show a screenshot of SSNs that I could find with Google (e.g. Kim Kardashian, Donald Trump, and Bill Gates).

I think you're right. But if they had leaked information that wasn't public, we wouldn't have a way to verify it, right?

Maybe. If I were the real hacker wanting to prove it, I'd maybe leak a few celebrities without previously leaked SSNs. I think at least one of them would unintentionally verify it for the public by getting upset and ranting on Twitter. If that didn't work, I'd try something else.

Disclaimer: I'm no expert on security. I just like applying my things-I-might-do technique.

Well, I suppose you could always try applying for a credit card with the leaked info and seeing if you get approved!

Doesn't necessarily work. In my late teens I got confused about what my SSN actually was, and entered it wrong when opening a bank account / credit card. Worked fine.

I realized my mistake a few years later and went through quite the endeavor to fix it.

If I were trying to prove I had the data, I would pick a very rich but private street, say in Bevery Hills or Jackson Hole, and release all data from all people who lived there.


Don't think it's an issue for them, they can hire a lawyer to ensure that no fraudulent account is opened or stays open.

You miss the point. It's not about protecting yourself from credit fraud. It's about every one of your snooty neighbors knowing your financial situation. And you knowing theirs.

I wonder if this will introduce instability in credit for consumers. Could this actually have long term ramifications for the US economy?

I wonder as well. I think we all forget how important credit reports are in giving banks comfort to lend (not that this is the only way to do it, but it seems that this is the current way). If people can default on a uncollateralized loan with no ramifications, no bank would lend and the credit engine would shut down.

People also forget about of rule of law. I defaulted on my loan?

Sue me.

Want to give me a loan? Search for me in public court records.

If you think about it from the bank's perspective though, why would they lend you any money if you were likely to default and they would have to sue you to get money back. That would mean that the cost of your loan would go up for them and therefore, your borrowing rate goes up tremendously.

Humans don't have an innate right to borrow money. It's a service provided by financial institutions for a fee. I don't think credit reports are the best solution (far from it) but they definitely improve your ability to borrow money, at least if you have a good one. :)

>Humans don't have an innate right to borrow money. It's a service provided by financial institutions for a fee.

This would be fine, except those financial institutions get THEIR money from the fed discount window. If their service was entirely private, that would be one thing but having the government involved changes the concept of "rights", especially when the fed loans out money with the express reason that the banks will loan it out in turn.

Maybe a bit, but banks get a majority of their money from deposits. That's their business. Take deposits (pay low interest) and loan it out (higher interest) with some credit risk. The Fed window is a last reserve to protect them from a run on the bank. They could do their business without the Fed window but with a conservative loan-to-deposit ratio. The government doesn't want that because when a bank goes under, banks stop lending which shuts down the economy.

Their usage of the discount window has to be miniscule compared to customer deposits, no?

Over the last decade it's basically their only source of profit.

Courts don't report when you are habitually 30+ days late on your loan payments but still pay them off. Courts also don't report how much debt you have. It would also not have any positive information about you, like how many loans you've taken out but paid back successfully and on time.

Economies of scale. Pulling a credit score costs about $.30 and takes two seconds. How long will it take to search public court records?

Besides, it's not only the bankruptcies that count. Good tradelines are also important, and those are not public.

From what I hear it will just be uncomfortable for customers. Banks will have to make sure that you're really who you are. Where you could open an account with SSN before you'll now need more proof that it's you. Meaning you'll have to supply more documents and more "security questions".

That could lead people to not open an account but probably won't deter people from taking out a loan. But will be a big annoyance for customers.

I'm worried about a DDOS on the IRS during tax season. They already barely function.

This looks like B.S. to me. - Who would store date of birth as a string? - If we are stringifying dob why is address still seperated? - Why are the credit report reasource Ids in the thousands not 1M +? - Why is the file size null but the file is listed with it's mimeType?

I know equifuckingsucks at security but this is a setup that would actually just be difficult to interact with from a data stand point

"Who would store date of birth as a string?"


"If we are stringifying dob why is address still seperated?"


"Why are the credit report reasource Ids in the thousands not 1M +?"


"Why is the file size null but the file is listed with it's mimeType?"


Be grateful you are in a position to be horrified. I'm currently fighting my way through a system that is not currently "Enterprise" yet, but was certainly headed full bore in that direction.

Exactly. The data model, and particular data typing, being terrible is more indicative of it being legit. Not less.

Anyone who has to work with the clowns in the credit reporting biz knows that this data is probably sitting on some COBOL-backed shimmed-out VAX talking to drum memory storage.

Indeed. This is one of those cases where reality is worse than the fabrication.

Yeah, but it'd be easy to repackage from a million other sources.

sad truth

That's exactly what I thought.

I consulted on an enterprise project once with EVERY column in EVERY table set to string because the engineers didn't want to think about datatypes.

All the queries used wild cards or just pulled back a ton of data and did the filtering and sorting in the application code.

That job sucked.

I consulted on a large healthcare data project with similar problems. Even "primary" keys were strings. Most tables had no indexes. (The developers routinely argued that they needed new servers with more RAM because they couldn't run multiple database queries at the same time. They already had 64 GB RAM.)

Yes! It had a lot of index-less tables. The you put an index on something and everyone treats you like a magician after you convince them the additional write is worth it.

Most days I worry I'm an imposter, but when I hear that there are groups of people running databases with no idea that indexes are a thing, I think maybe I should ask for a raise.

Or one of the developers deletes the index you've just added... because it uses too much disk space.

No, no, no! They get religion and put an index on every column.

So a different question: why would enterprise store it in a JSON? :)

Some new interface so that they can claim they're "Fintech" to others while the core still runs on a mainframe. At least that's how banks manage to create nice apps while using a core system from the 70s.

This is a JSON representation. Probably not even the storage format. But even if it were, in javascript, new Date("MM/DD/YYYY") parses correctly.

I don't think it's as difficult as you are imagining.

It also doesn't need any formatting in order to be displayed, which is likely it's only real use.

the server password was admin/admin , do you really think your best practices apply here?

600 BTC = ~2,111,994 USD

Note: The value of BTC dropped more than 10% in the past 8 hours, so the value of the ransom just became much more affordable than before, although it's still higher than the middle of May when Equifax claims the breach began.

Just an aside, "ransom" is probably not the right word, since I presume they are not taking money to destroy or not release the data. They're selling the data to anyone, and probably will be happy to sell the same data many times over.

Maybe by the time they get their 600 BTC and go to cash out they'll be able to buy a used motorcycle. Or else a small country.

One never knows.

Nearly $3M a few days ago

Instructions for private buy dosn't make sense. Transaction id is public, so anyone can write them and claim a transaction is theirs.

Doing so wouldn't accomplish anything. The second (larger) part of the payment still has to be sent and negotiated over PGP-encrypted email.

Presumably first person to email gets the private address to buy, so if you're slow you'll have wasted 0.2BTC

They should have had you send a message signed with the source address of the 0.2 to their email.

I was going to say "Nobody would know how to do this" but in reality, it's probably a bit more like "Not enough people would know how to do this" and if they're taking increments of 0.2BTC, they're hoping or expecting to get some real volume.

Making it just hard enough that anyone with a Coinbase account and a credit card can't just do it without actually running a full node of their own, would probably be bad for business.

This seems odd to say, but if they included a price for just a simple name+birth date query, there is probably a decent price point people would actually pay just to know if they are on there. Like if they have even just half of the names querying for their own identities for like $30 a pop, that'd be more than what they are asking for for the whole bulk.

Think of the operational cost involved to satisfy everybody's query.

Couldn't it easily be automated? A lot of upfront work but then just monitoring.

Running servers takes resources too and in this case the servers need to support millions of queries.

yeah that's what I thought it was going to get to when I started reading the screenshot. but I guess not all criminals are smart marketers

Bitcoin and Etherium are used too much for money laundering. They need to be regulated. There is also so much energy used to mine the coins. More than many countries. We need to really think about what we get out of building a money a laundering technology primarily used on the dark net.

Strong encryption is used too much to coordinate illegal activities, such as terrorism. It needs to be regulated.

Except, how do you actually intend to regulate it? Enacting a law to do so is easy. Actually enforcing that law is another matter.

And you know who terrorists recruit? Children.

You do care about the children, don't you?

That's over. Now there will always be another cryptocurrency to take over money transfer for criminal activities.

> It claims to be the real EQUIFAX hackers, unlike the last darknet site that was soon taken down by morons.

I hadn't heard about this last site. How did morons take it down? Or is that suppose to mean that morons put it up? English...

Both. Morons put it up, got called on it by non-morons, and then took it down.

Is those Donald Trump, Kim Kardashian and Bill Gates real SS numbers?

These seem to have been leaked before [1, 2], so that's not very conclusive...

[1] https://www.facebook.com/HydraHackingUnited/posts/9614975439... (November 24, 2015)

[2] http://www.jeuxvideo.com/forums/1-50-138814262-1-0-1-0-qui-s... (June 20, 2013)

The third one in the screenshot seems to be for Bill Gates, though it's conveniently cut-off. Has that also been in a previous leak?

There are results showing up on the web, eg. here:


Dunno why, but just surprised that Kim K's credit score with Equifax is 643. Unrelated, sorry.

That makes sense to me.

Having zero debt (and no credit cards) can easily knock your score that low, even if you have a perfect payment record.

The whole credit score thing is an extortion game:

To the consumer: Want a loan? Buy everything on cash back cards.

To vendors: Don't like the fact that we're upping transaction fees? What percentage of your customers use credit cards again?

If they actually were worried about your ability to repay a new debt, the fact that you already have a pile of debt would not increase your score.

It's not the pile of debt that increases the score. It's the history of repaying that debt per its agreed terms that does.

While I'm not a fan of the credit bureau system, I understand the reasoning behind it. It's an efficient way for creditors to get access to the needed information. Lacking that, to allow the bank to evaluate your creditworthiness among other things you'd likely have to provide a list of references of past creditors and then your new potential creditor would have to validate those references individually: verify you had credit with them, verify you adhered to the payment terms, etc.

For better or for worse today instead of an on-demand complete graph we've got a centralized cache. This serves the needs of the financial players better (read: cheaper) while putting the PII of consumers at more risk.

The point is that the credit score system is utterly dominated by past credit (and its repayment), even though other factors (like current wealth and income) are far more important in practice - and this leads to paradoxical and absurd situations where someone can be filthy rich, but have low credit score because they have zero credit history, never having taken a loan.

Many other countries don't have such a system, and creditors use your past and projected income as a basis for making decisions.

> other factors (like current wealth and income) are far more important in practice - and this leads to paradoxical and absurd situations

From the perspective of the finance industry, these "absurd situations" are so far below the level of noise that they are effectively theoretical. If you want to discuss "in practice": in practice the users of the US credit system have no "current wealth" worth speaking of (look up the median net worth of US households), and their ability to maintain their existing debt is the defining feature of their financial status.

Income is more important than wealth, anyway.

Again, there are many countries - including First World European countries - that don't have the credit score system, or only have reports on non-payments (usually govt-run). They seem to be doing just fine.

Lenders in the US are just trying to maximize their risk-adjusted profit - there's no conspiracy here. If income alone was just as good as income + debt servicing history for making the statistical decisions required to maximize credit industry profits (decisions like whether or not to lend, at what rate, at what ratio to income/assets, etc), do you think the lenders would pay the overhead of the additional useless tracking? Are you suggesting that Equifax & Co. are pulling a fast one on the US lenders and their armies of actuaries and after all these years the lenders haven't noticed the uselessness of the product?

Not at all. My point, rather, is that the credit industry can still function pretty damn well without having access to aggregated credit history and scores, and so banning the practice altogether, or severely limiting the amount of data so collected, in the interests of public good (privacy protections etc), should be considered a viable option on the table.

Not only that. Celebrities that got money quickly often end up with debt or very little money. Having access indirectly via family members is no guarantee. For a bank, such a client can be very risky, much riskier than someone with a regular income.

No, I actually thought the same thing, which made me think maybe this isn't real? That number seems really low, doesn't it?

I wouldn't be that surprised that she would miss lots of consecutive payments. Not because she didn't have the money, but because she doesn't care. 3 late payments in a row on a mortgage, credit card, etc, drags down your score a lot.

Or perhaps she had little credit history. I could see a scenario where most of her stuff is financed through an LLC vs her personal credit. If your business is solely "being popular", almost everything is a business expense :)

I doubt she's sitting down once a week or so and paying any bills. I imagine somebody else does that for her.

Plenty of celebs are late payers. Whether that's because they pay bills themselves, or just fail to route stuff to their accountants, I have no idea.

There's more than one embarrassing car repo celeb picture floating around.

Auto pay is not hard to set up.

This data is questionable anyway.

Goes to show how silly credit scores are

They are insidious, not silly.

The reason is that they mean little for those with tons of money - but they mean everything for the average person with limited money.

They literally keep the poor poor.

The concept of credit scores has a reason to exist, it's just our implementation is broke a million times over. There's nothing wrong with a business loaning you money having the knowledge aforehand that you don't pay your obligations on time.

So it is! Yet, the ideal score is not one that reflects ability to repay, but ability to say conveniently under the thumb of a credit card company.

If by "under the thumb of" you mean "using less than 30% of available credit and carrying some kind of balance". There's no need to apply melodrama to a simple matter of statistics to answer the question of whether someone can use credit responsibly.

Kanye is famously $53 million in debt, so it makes sense actually.

How is Kim's credit score in any way related to Kanye?

Well they’re married so maybe they have a joint account or two?

Being $53 million in debt seems like something that would result in you having an excellent credit score.

A credit score is a signal to potential _new_ creditors about how likely you are to be able to pay back _new_ debts. A factor in credit FairISAAC is the proportion of your outstanding revolving credit you are currently using (more being worse, above about 30%). It could be a sign that your income is unable to pay down your debt (becoming a runaway debt problem).

All to say that just because you've been able to convince creditors to loan you $53 million doesn't necessarily mean your credit is good.

I guess publicly begging Mark Zuckerburg for $50 million doesn’t get factored in, so you’re probably right.

Looks like it COULD BE, those first three numbers are in the range of someone from NY and someone from CA.


It's only ~$14k USD for us to buy 1 mil entries. Maybe we could crowd fund it and see how real it is?

Why not buy a single entry - yourself - to verify? I don't particularly want to give these guys $14k.

EDIT: see philipodonnell's reply to this post for an alternative explanation. I may have jumped the gun.

As far as I know credit scores are not part of credit reports as they do not show up when you request your credit report. If they were storing "credit score" as part of your credit report but withholding that information when you request a copy that would seem to violate the Fair Credit Reporting Act.

It wouldn't really make sense to store a credit score with the report anyways, it would only make sense to generate it on the fly only when a lender requests it. I'm assuming that different creditors report credit information on different days so it would be changing every time a creditor submitted information on that person which would be multiple times a month for someone with multiple accounts. And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.

Furthermore, there's not just one "credit score," there's different algorithms for coming up with a credit score. One creditor may request FICO 8 and another one may request VantageScore 3.0 on the same day. Then another comes by and wants FICO 5. So even if they saving a credit score in the database I wouldn't think that they would have a field labeled as a generic "credit score" without any qualifier. It would be "FICO 8 score" or whatever algorithm was used to generate the score.

There's also other problems, I don't have my Equifax report in front of me right now but credit bureaus store alternative/former names which aren't included here. Like for me my reported names are FirstName LastName; FirstName MiddleInital LastName; and FirstName MiddleName LastName. All because different creditors reported my name slightly differently. If you change your name (like Kim Kardashian did - she's Kim Kardashian West now) it would report both your former name(s) and current name(s). I don't see any indication that this sort of information is included.

Therefore I very seriously doubt the authenticity.

(From a technical perspective "pdf" is not a MIME type, the MIME type of PDF files is "application/pdf")

You're assuming this is a database dump. It looks more like logs from the service that creates PDF versions of reports for download. That would have a more simplistic data structure that might look like this.

If it's a service request log, why service would have field requestId and then set it to null? Of course, you can expect anything from people that have admin/admin security on their employee portal, but looks weird. Also, street data have no field for apartment number - does nobody live in multi-tenant buildings? Of course, there may be optional field for this, but given how many null fields there are, it doesn't look like this API does optional fields. In summary, API response format could be anything, as I said, especially from people who do admin/admin, but on the fact of it it looks questionable.

Also, why credit reports for Donald Trump and Kim Kardashian were created at the same second and then modified at the same second? Probability of this happening as a result of natural client activity - i.e. just watching the logs of the active service - is zero. If the attackers had access to this service and initiated the requests, then why not show the resulting PDFs, that they supposedly also must have had access to if they had access to the API?

Also, quick search shows that SSNs of Trump, Kardashian and Gates has been published before. Which means this sample contains only the information that is in the public sources already, or is meaningless (like IDs). Thus, at least the JSON dump thing proves exactly nothing. Of course, if they published a previously unpublished SSN, we'd have hard time verifying it too, so not sure what could be a good proof here...

Presumably if someone wanted to sell this data for big bucks they would have found a way to provide a sufficient and satisfying proof.

Very good point. I admit, I looked at the JSON pretty quick assuming it was a database dump export (obviously the database isn't a JSON file) and thought "this doesn't make sense" and didn't think about it much more.

It still looks sorta "off" to me even as logs.

I can't speak for the other points you raise, but I note that it says "Credit Score" rather than "FICO score" - all of the credit reporting agencies (and some third parties) have their own "Credit Score" product that they sell or otherwise provide - it's almost a scam in itself, in that they strongly suggest they are selling you a FICO score but instead give you their own internally-generated, presumably royalty-free number.

Since there's no cost associated with this, they may well generate one for everyone and store it with their data.

Yep! The difference between the two was a particular source of frustration for me.

Back when I was relatively new on the (full time) job market, I pulled my reports from annualcreditreport.com and it would tell me that my "credit score" is 720-740, and no negative marks.

However, I also had never taken out a loan before. So whenever I tried to do use that pristine credit (e.g. for a mortgage, credit card, or apartment), I had "no credit history" which appeared to the credit as toxic and subprime.

(Relatedly, when I got my first part time job and tried to buy a PS console with a check, Best Buy said it violated their "risk parameters" and wouldn't take it, though Walmart would.)

Agreed with this. I had no credit except a credit card until I was 30 and bought my first new car. All my other cars were family cars or bought from relatives. I worked during school so no loans either.

I'm curious to see what happens when I buy my first house. There was a huge chance I wouldn't have even needed the car loan but life happens.

Each agency has their own credit score. In addition they will compute a Fair Isaac score on demand because FICO charges a royalty to compute the FICO. The royalty is the reason they dont giveva FICO with the free annual report.

while 'pdf' isn't a full mime type, you seem to forget whom we're dealing with here, not the brightest crayon in the box Equifax.

This doesn't look like a database dump.

Not disagreeing with the rest but:

>And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.

This obviously depends on your real-time requirements on providing a credit score. If you need to be able to return any credit score in X milliseconds, and you need to be able to do this at certain throughput, and have load that's not distributed across the day, then you might choose to pre-compute data.

There are techniques you could use to ensure you minimise re-computes and you could also pre-compute values into the future and re-calculate them when new/unexpected data came in.

It might not make sense to do this in a general-case, but placing retrieval performance constraints on a system can lead to non-obvious pre-calculation/computation solutions.

They give you a score themselves when you sign up for their premium offering.

Wouldn't it be that one?

It's not real because it doesn't match your vague ideas about what it should be. Well, OK.

astura is correct. This is not a vague idea but how credit scoring works.

Might as well scrap AML/KYC laws now that everyone can open any account anywhere with someone's ID


^ you can see if you or any of the above mentioned people have been compromised using this tool.

Yeah, at best, that tool from Equifax is unreliable. People have put in fake users and SSN and still it's told them they were affected. At worst, it's just another way to get customers to sign up for a new service.

It's asking for the last 6 digits of SSN and name. Considering that is 1 million unique numbers, out of 146 million potentially compromised accounts, you could probably put any number in there and be reasonably sure of getting a hit.

This is a very good point and may explain this phenomenon. However, I'm not 100% sure that those numbers are equally distributed. Still, it may well account for the fact that random numbers still resulted in a hit. Good point.

I put in the SSN of my family and it states we were affected, I put in fake names and SSN and it says we were probably not affected.

Maybe they've fixed it, but it has definitely been wonky. Some folks got different responses on mobile vs. desktop with the same info.


Posting our president's SSN on your blog after obtaining it from a darknet page... priceless.

I applaud your concise cleverness, even if this is not the time nor the place!

The social security number for Donald Trump in their sample was issued around 1963. Seems fishy.

He would have been around 17. That's reasonable, given that many/most didn't get an SSN back then until they started working.

The SSA sends you one at birth (now?).

If someone applies for it on the baby's behalf. It's still an optional program as far as I know.

If you don't have a SSN, you'll need an ITIN for taxes.

(ITIN - Individual Taxpayer Identification Number)

Since his DoB is 1946 he'd be 17/18 in 1963. What's fishy?

This really pisses me off. It's only a matter of time before some random person opens up a cellphone, utlity, or bank account... or worse. Completely messed up.

Everyone American should be scared shitless at this incompetence. It's going to cost everyone thousands of dollars over their lives for credit fraud protection. Just another expense to add.

It's also extortion. "Please pay us money to solve the massive problem we created." I don't know how it's legal.

Not saying it would be great in the short term, but I wonder how it would play out if the entire database was made widely available. It seems like it would be a lot harder to enforce a debt if the borrower was originally identified based on "secrets" that were well known to be public at the time. Maybe then they would come up with a better authentication scheme than "what color was your first car?"

It would be an awful lot like the end of Fight Club. Destroy credit records, or reduce them to meaningless, either way the economy would collapse.

People can complain all they want about credit, but the reality is that it exists as a financial service because loaning things with interest is probably older than agriculture in human society. We've just gotten very good at risk assessment, and this going public would ruin our ability to assess risk for years.

Honestly, the credit industry ought to be the ones raging against Equifax's fuck up. If only all the other credit bureaus weren't on eggshells hoping they're not next.

Credit and existing credit records would still be easily available.

The only change would be that you need to present photo ID in person to open new credit lines... which doesn't seem that unreasonable really.

How have we got very good at assessing risk?

So far, I have had three phones signed up in my name (essentially stolen from the suppliers), can't easily get a mortgage because I own my own company, somehow making me riskier than people who earn half my income, and in the past had my credit card limit extended to £10,000 without asking when I was almost broke.

To me that doesn't sound like they're good at assessing risk at all, they're just blindly following extremely simple algos instead of knowing their customers.

The records wouldn't be rendered meaningless any way, the fundamental of a credit report is how much debt you already have and if you ever miss payments or have judgements against you. Then a lender compares that to your income.

> It would be an awful lot like the end of Fight Club

The film ended that way. The novel had a different, more Palahniuk-ish ending. Spoil it for yourself if you must at https://en.wikipedia.org/wiki/Fight_Club_(novel)

> interest is probably older than agriculture

Offtopic I know, but quantitavie economics and bureaucracies were both borne out of agriculture; before that value was subjective.

Maybe then enough people at the same time would pressure state and federal legislators to regulation suspicious data brokers and creditors (and/or address insufficient/broken authentication in new credit accounts).

The Target breach was the thing that finally catalyzed the move from magstripe ccs to EMV ccs. I think we are currently on the precipice of the point when we need to move towards a second factor of authentication ("something you have" or "something you are" in addition to the lots of "something you know" that the current credit bureau system uses).

What would happen if the DB was widely available and many many people just randomly and inexplicably opened as many ranom accounts as possible - it would cause chaos in the economy.

What would an accurate "what if" scenario like this look like?

That's the first five minutes. Then the market for new consumer credit would seize up, banking share prices would flip out, and talking heads on cable would have something new to hyperventilate over.

Overall, many thousands of folks would have their home plans/vacation/card-flipping/whatever plans screwed up, some thousands would have a more severe financial problem, the banks would muddle through, "we'd" rebuild the financial-surveillance system over again, and it would probably be less stupid in some ways at the cost of being more uniformly intrusive.

The thing is, up until now, there was a false sense of security that if someone didn't have your SSN, they couldn't open up financial accounts as you. And there was little being done to protect people whose SSNs are already disclosed in some way.

With such a large percentage of our social security numbers being potentially outright public, financial institutions need to stop assuming that an account holder is legitimate because they provide an SSN. And it is in their best interests to do so, since they end up on the hook in most cases for fraudulent accounts (after putting you through an awful process to prove it isn't yours).

For example, rather than letting someone sign up for an account with the SSN as a verification of identity, new credit accounts could potentially be considered probationary (or just outright not created) until a one-time code is mailed to the credit holder's established home address (based on their existing credits and payment history) as confirmation that the real person with that SSN authorizes that transaction. While such a step would not be completely impossible to defeat, it would mitigate attackers on the other side of the globe opening fraudulent accounts.

Agreed. If you used medical services in any significant way before 2010, your SS and birthdate was all over the place in insurance and medical records.

> It's going to cost everyone thousands of dollars over their lives for credit fraud protection.

In my mind, the Just thing to do would be for Equifax to offer ongoing fraud protection to all of their customers affected by this leak. (Gosh, that might be expensive!)

I mean sure, if they can't make fraud-avoidance part of their fundamental business model.

This issue has existed before the hack. None of these companies give a shit about security. Maybe this will change things.

They won't care until they have to personally pay out of pocket. Many of us probably will, but they won't.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact