Hacker News new | comments | show | ask | jobs | submit login

EDIT: see philipodonnell's reply to this post for an alternative explanation. I may have jumped the gun.

As far as I know credit scores are not part of credit reports as they do not show up when you request your credit report. If they were storing "credit score" as part of your credit report but withholding that information when you request a copy that would seem to violate the Fair Credit Reporting Act.

It wouldn't really make sense to store a credit score with the report anyways, it would only make sense to generate it on the fly only when a lender requests it. I'm assuming that different creditors report credit information on different days so it would be changing every time a creditor submitted information on that person which would be multiple times a month for someone with multiple accounts. And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.

Furthermore, there's not just one "credit score," there's different algorithms for coming up with a credit score. One creditor may request FICO 8 and another one may request VantageScore 3.0 on the same day. Then another comes by and wants FICO 5. So even if they saving a credit score in the database I wouldn't think that they would have a field labeled as a generic "credit score" without any qualifier. It would be "FICO 8 score" or whatever algorithm was used to generate the score.

There's also other problems, I don't have my Equifax report in front of me right now but credit bureaus store alternative/former names which aren't included here. Like for me my reported names are FirstName LastName; FirstName MiddleInital LastName; and FirstName MiddleName LastName. All because different creditors reported my name slightly differently. If you change your name (like Kim Kardashian did - she's Kim Kardashian West now) it would report both your former name(s) and current name(s). I don't see any indication that this sort of information is included.

Therefore I very seriously doubt the authenticity.

(From a technical perspective "pdf" is not a MIME type, the MIME type of PDF files is "application/pdf")

You're assuming this is a database dump. It looks more like logs from the service that creates PDF versions of reports for download. That would have a more simplistic data structure that might look like this.

If it's a service request log, why service would have field requestId and then set it to null? Of course, you can expect anything from people that have admin/admin security on their employee portal, but looks weird. Also, street data have no field for apartment number - does nobody live in multi-tenant buildings? Of course, there may be optional field for this, but given how many null fields there are, it doesn't look like this API does optional fields. In summary, API response format could be anything, as I said, especially from people who do admin/admin, but on the fact of it it looks questionable.

Also, why credit reports for Donald Trump and Kim Kardashian were created at the same second and then modified at the same second? Probability of this happening as a result of natural client activity - i.e. just watching the logs of the active service - is zero. If the attackers had access to this service and initiated the requests, then why not show the resulting PDFs, that they supposedly also must have had access to if they had access to the API?

Also, quick search shows that SSNs of Trump, Kardashian and Gates has been published before. Which means this sample contains only the information that is in the public sources already, or is meaningless (like IDs). Thus, at least the JSON dump thing proves exactly nothing. Of course, if they published a previously unpublished SSN, we'd have hard time verifying it too, so not sure what could be a good proof here...

Presumably if someone wanted to sell this data for big bucks they would have found a way to provide a sufficient and satisfying proof.

Very good point. I admit, I looked at the JSON pretty quick assuming it was a database dump export (obviously the database isn't a JSON file) and thought "this doesn't make sense" and didn't think about it much more.

It still looks sorta "off" to me even as logs.

I can't speak for the other points you raise, but I note that it says "Credit Score" rather than "FICO score" - all of the credit reporting agencies (and some third parties) have their own "Credit Score" product that they sell or otherwise provide - it's almost a scam in itself, in that they strongly suggest they are selling you a FICO score but instead give you their own internally-generated, presumably royalty-free number.

Since there's no cost associated with this, they may well generate one for everyone and store it with their data.

Yep! The difference between the two was a particular source of frustration for me.

Back when I was relatively new on the (full time) job market, I pulled my reports from annualcreditreport.com and it would tell me that my "credit score" is 720-740, and no negative marks.

However, I also had never taken out a loan before. So whenever I tried to do use that pristine credit (e.g. for a mortgage, credit card, or apartment), I had "no credit history" which appeared to the credit as toxic and subprime.

(Relatedly, when I got my first part time job and tried to buy a PS console with a check, Best Buy said it violated their "risk parameters" and wouldn't take it, though Walmart would.)

Agreed with this. I had no credit except a credit card until I was 30 and bought my first new car. All my other cars were family cars or bought from relatives. I worked during school so no loans either.

I'm curious to see what happens when I buy my first house. There was a huge chance I wouldn't have even needed the car loan but life happens.

Each agency has their own credit score. In addition they will compute a Fair Isaac score on demand because FICO charges a royalty to compute the FICO. The royalty is the reason they dont giveva FICO with the free annual report.

while 'pdf' isn't a full mime type, you seem to forget whom we're dealing with here, not the brightest crayon in the box Equifax.

This doesn't look like a database dump.

Not disagreeing with the rest but:

>And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.

This obviously depends on your real-time requirements on providing a credit score. If you need to be able to return any credit score in X milliseconds, and you need to be able to do this at certain throughput, and have load that's not distributed across the day, then you might choose to pre-compute data.

There are techniques you could use to ensure you minimise re-computes and you could also pre-compute values into the future and re-calculate them when new/unexpected data came in.

It might not make sense to do this in a general-case, but placing retrieval performance constraints on a system can lead to non-obvious pre-calculation/computation solutions.

They give you a score themselves when you sign up for their premium offering.

Wouldn't it be that one?

It's not real because it doesn't match your vague ideas about what it should be. Well, OK.

astura is correct. This is not a vague idea but how credit scoring works.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact