by DaleSwanson
I froze my credit after the Equifax breach, but have had to lift it a few times since then. When freezes became free I wanted to confirm that my credit was frozen with each bureau. When I got to the Experian site, I went through the process of adding a new freeze, and when it asked for a PIN I put in the existing PIN I had. The confirmation page said something along the lines of “You already have a freeze, and the PIN is 123456”.
I was slightly worried and so repeated the process in a new incognito browser window and when it asked if I wanted to enter a PIN or have them generate one I let them generate it. I got the same confirmation/error page with my current PIN displayed. To be clear, the second time I did this, all I provided was name, address, SSN, and DOB. I did not provide the PIN. I did have to answer some of those security questions you tend to have to answer when confirming your identity online (eg, “What bank is your home mortgage with?”), but the entire point of the credit freeze is to prevent people who may have that type of information from opening new credit.
I wanted to warn people, that while the credit freeze is a still a good idea, it’s not iron clad. It would also be nice if there was some pressure on Experian to change this. I googled to see if this was already documented, and was shocked to see this article from over a year ago outlining the exact same process working the same way.
krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/