[BreachExchange] Credit Karma glitch exposed users to other people’s accounts

Destry Winant destry at riskbasedsecurity.com
Fri Aug 16 08:45:17 EDT 2019


Users of credit monitoring site Credit Karma  have complained that
they were served other people’s account information when they logged

Many took to a Reddit thread and complained on Twitter about the
apparent security lapse.

“First time logging in it gave me my information, but as soon as I
refreshed the screen, it gave me someone else’s info,” said one Reddit
user. “Refreshed again and bam! someone else’s info — it’s like
roulette.” Another user said they logged in and out several times and
each time they had “full access to a different random person’s credit
file,” they said.

One user told TechCrunch that after they were served another person’s
full credit report, they messaged the user on LinkedIn “to let him
know his data was compromised.”

Another user told us this:

The reports are split into two sections: Credit Factors — things like
number of accounts, inquiries, utilization; and Credit Reports —
personal information like name, address, etc.. The Credit Reports
section was my own information, but the Credit Factors section
definitely wasn’t. It listed four credit card accounts (I have more
like 20 on my report), a missed payment (I’m 100% on time with
payments), a Honda auto loan (never had one with Honda), student loan
financing (mine are paid off and too old to appear on my report), and
cards with an issuer that I have no relationship with (Discover).

Several screenshots seen by TechCrunch show other people’s accounts,
including details about their credit card accounts and their current

Another user who was affected said they could read another person’s
Credit Factors — including derogatory credit marks — but that the
Credit Report tab with that user’s personal information, like names
and addresses, was blank.

One user said that the login page was pulled offline for a brief
period. “We’ll be right back,” the login page read instead.

Credit Karma spokesperson Emily Donohue denied there was a data
breach, but when asked would not say how many customers were affected.

“What our members experienced this morning was a technical malfunction
that has now been fixed. There is no evidence of a data breach,” the
statement said.

The company didn’t say for how long customers were experiencing issues.

Credit Karma offers customers free credit score monitoring and
reports. The company allows users to check their scores against
several major credit agencies, including Equifax, which last month was
fined at least $575 million for a 2017 data breach.

More information about the BreachExchange mailing list