On Monday, the financial information of a handful of celebrities were exposed by a mysterious website titled “The Secret Files.” The stripped-down website, which looks a lot like a site made in 1997, contains social security numbers, credit reports, addresses and phone numbers of celebrities and public figures. Ashton Kutcher, Jay-Z, Tiger Woods, Bill Gates, Mitt Romney and Hillary Clinton were among those included in the list.
It’s still unclear who’s behind it, and both the FBI and the LAPD are investigating the incident. Media reports were quick to dub the culprits as “hackers.” But was this really a sophisticated hack orchestrated by malicious geeks? Most likely, it wasn’t.
As Forbes privacy blogger Kashmir Hill explained, this is more a case of relatively easy social engineering and really poor security, than a real hack.
As it turns out, the criminals got access to the credit reports of the victims using a website that we can all access: AnnualCreditReport.com, a site where people can access their credit report for free once a year. All you need to check your report — or someone else’s — is a social security number, a date of birth, and an address, and then answer a few more security questions.
It’s unclear how the criminals got their hands on high-profile figures’ social security numbers, but leaks occur, and some researchers have even shown that SSNs can be guessed with limited information and a prediction algorithm.
After somebody breaches the first line of defense, the SSN, there’s a second one: the three biggest U.S. credit companies associated with the website — TransUnion, Experian and Equifax — ask for more personal information to make sure the person trying to access the report is really who he or she pretends to be. Alas, that information is less personal than you might think. TransUnion asked Hill to provide them with the year in which she graduated from high school, a phone number she was previously associated with, and and a city where she had lived. In the digital age, that kind of information is easily accessible.
“Public records, online profiles and blogs, as well as social networking account provide criminals with a nice supply of information in order to get through the authentication process,” Adam Levin, co-founder and chairman of Identity Theft 911 told TIME.
Two other companies (Experian and Equifax), explains Hill, gave her a multiple choice test, asking which lines of credit she had taken in the past. That is harder to figure out, but not impossible, and she adds, if you’re a criminal, you can always go with “the tried and true method of many a stumped SAT taker: just choose A, B, C, or D and pray. ‘None of the Above’ often seems to work like a charm.”
What’s worse, you don’t have to get it right the first time. If you can’t figure out what information TransUnion wants, then you can try Experian, and if that fails too, you can try Equifax. With some good googling and some luck, you very well might be able to find what you’re looking for. The three companies have admitted that impostors accessed their systems, and they’ve already opened investigations to find out more about the incident.