Just when you thought things couldn’t get any more surreal, Equifax continues to fumble one of the biggest data breaches in U.S. history. As if people weren’t still reeling from reverberations of the September 7 announcement, the Atlanta-based company acknowledged this week that its official Twitter account had been sending people to an illegitimate site that mimicked its own.
Faced with a deluge of inquiries from concerned consumers, Equifax reps at times used social media to direct people to “”securityequifax2017.com.”The problem is, the real website is “equifaxsecurity2017.com.”
To make matters worse, the fake site was flagged by many an internet browser as a “phishing” site, according to security blogger Brian Krebs. Phishing sites are often used by hackers to steal or “phish” personal information — account numbers, passwords — from users by duping them into thinking a website is legit when it’s actually a near carbon copy of the real one.
Equifax Data Breach: Company sent people to copycat site
The company tweeted the fake website to millions of its followers as recently as Wednesday before realizing its mistake and deleting the tweet, according to The Verge. The company had also tweeted the bogus site at least three more times since September 9, the website reports.
The good news (yes, unbelievably, there is good news) is the person behind the bogus website says that he doesn’t have nefarious designs. Nick Sweeting, a software engineer, told The Verge that he created the fake website in order to scold Equifax and show how easy it is to copy a real website (it took him 20 minutes) that millions of people are being referred to.
“It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info,” Sweeting told the website, adding that his mirror site won’t steal people’s information because he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer.”
Sweeting also made a plea to the Equifax, telling CNN Tech: “It’s in everyone’s interest to get Equifax to change this site to a reputable domain, I can guarantee there are real malicious phishing versions already out there.”
For its part, Equifax told The Verge that they are sorry for the mix-up. “All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion.”