Equifax has directed followers to fake phishing site for nearly two weeks

In early September, Equifax, one of the three major credit monitoring bureaus, announced that it had fallen victim to a massive data breach. According to the company, an estimated 143 million Americans had their information stolen, some including credit and driver’s license numbers.

And in its attempt to fix the breach it appears Equifax may have left even more people open to hackers.

According to Mashable, Equifax has been directing concerned customers on Twitter to a scam website for weeks. How is this possible? It’s because its own site, equifaxsecurity2017.com, is incredibly similar to a fake phishing site, securityequifax2017.com.

The first site, equifaxsecurity2017.com, was set up by Equifax and allows concerned customers to enter their data to find out if their information had indeed been breached. But in doing so, Gizmodo explained, the company created an unusually long and unofficial-looking URL, making it an easy target for further hacking.

To prove just how easy it would be to collect user information, developer Nick Sweeting spent $10 and created a dupe website in 20 minutes by simply switching the words “Equifax” and “Security.” He then copied the incredibly simple design of Equifax’s site and then simply let the emails, social security numbers and information roll in. The site has received 2,000 hits over the last few days, according to CNN.

Thankfully for all of us, Sweeting wasn’t actually in it to steal information, but rather to shame Equifax even further for creating this credit issue and then leaving victims even more vulnerable to attack with a vulnerable site.

On the site Sweeting put in big, bold letters:

“Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites. Equifax should have hosted this on equifax.com with a reputable [EV] SSL Certificate. Instead they chose an easily impersonated domain and used a jelly-bean SSL cert that any script kiddie can impersonate in 20min.”

As Sweeting further shared on social media, Equifax tweeted the link to his fake site at least eight separate times since Sept. 9.

Sweeting told Gizmodo in an interview. “I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”