Experian PIN recovery flaw: What we know now

Editor’s note: An earlier version of this story called this a “data breach,” when it is actually more of a security vulnerability that how now been resolved. Team Clark apologizes for the mischaracterization.

Credit-reporting giant Experian is saying that customers’ personal information is safe after a security flaw exposed people’s personal identification numbers (PINs) used to manage credit freezes. Personal finance site NerdWallet first reported the Experian security vulnerability, which has been fixed.

To retrieve your PIN online, Experian presents users with multiple choice security questions for identity verification. The problem was, by selecting “None of the above,” the site granted anyone access to a PIN that allows you to manage your credit freeze preferences. NerdWallet was able to replicate the breach after being made aware of it by a reader.

It’s worth noting that if you haven’t set up a credit freeze, you have nothing to worry about, since a PIN would only allow someone to thaw your credit, not gain access to your credit report.

Experian security lapse: What we know & what to do about it

The incident comes more than a year after the Equifax data breach, which increased scrutiny of the major credit-reporting agencies. The Experian data leak apparently only affected consumers trying to access their accounts via online. Mail methods are believed to have been unaffected.

RELATED: Protect yourself with Clark’s Credit Freeze Guide

An Experian spokesman told Team Clark: “There is not and never was a risk to consumer credit data, personal information or the security of our systems. A credit freeze PIN does not enable access to a credit file or consumer PII (personally identifiable information). Experian deploys multiple layers of security, many of those not visible to consumers. While we are confident that our authentication is secure, we have taken additional steps to make the process even more secure. We continue to regularly monitor our systems, taking immediate action when warranted to strengthen data security.”

Despite this latest lapse, money expert Clark Howard says credit freezes are still the #1 way consumers can protect themselves from identity theft and fraud.

What to know about credit freezes & PINs

The three major credit-reporting bureaus, Experian, TransUnion and Equifax, have moved away from PINs as a means of accessing your credit freeze online. When it comes to mail, though, the agencies still will need your PIN.

If you no longer remember your PIN or have misplaced it, the agencies want you to mail them identifying information. But you can also call them. See Clark’s Credit Freeze Guide for all the ways to reach them.

3 things to do if you have a credit freeze set up with Experian

• Remove your Experian credit freeze & set up a new one: After initially advising people to change your PIN, we now are recommending that you remove your credit freeze and set up a new one.
• Sign up for free credit monitoring: If you haven’t signed up already, do so with Credit Sesame, CreditKarma.com or a Credit.com account to get free credit monitoring and be notified when anyone tries to use your personal info to establish new credit. Here’s a step-by-step rundown of how to do it. (Note: If your credit report is already frozen, you’ll have to temporarily lift your credit freeze at all three bureaus to enlist credit monitoring).
• Monitor your Social Security: If you’re over age 50, you should create a MySocialSecurity account at SSA.gov. This is “where you’re able to monitor that no one is trying to impersonate you at the Social Security Administration to get your benefits,” Clark says.