The drama surrounding Equifax's recent leak is bringing more and more facepalms.
After 143 million people had their personal information compromised and executives conveniently sold off chunks of stock before the announcement was made public, Equifax tried to help by offering people a site to check whether or not they were affected. Good intentions aside, Mashable reports that Equifax's Twitter account was actually directing consumers to a phishing site instead of the one the company set up. And it did it at least eight times.
Equifax did put up a legitimate site to help people, www.equifaxsecurity2017.com, but the people behind the company's Twitter account accidentally posted links to www.securityequifax2017.com instead. That particular site is actually a lookalike website, not a real place for consumers to seek help or get answers. The AV Club notes that, thankfully, the site wasn't malicious. It was created to show that Equifax wasn't being as careful as it should be in the aftermath of the breach, not to collect more user data.
AdvertisementADVERTISEMENT
Since the gaffe, Equifax has taken down the misleading tweets. Users that did enter their information on the faux site got a message reading "you got bamboozled" and were presented with directions on how to tell Equifax about its mix-up via social media. Users could have simply read a banner on the site to find out that it was illegitimate, though, since there was a warning that stated, simply, "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Site."
Closer inspection of the site revealed further disclaimers:
"[Equifax's] response to this incident leaves millions vulnerable to phishing attacks on copycat sites," the page reads. "This is why you don't put your security incident website on a domain that looks like a scam (with an Amazon SSL cert), no-one can tell the difference between the real thing an a phishing site."
@SwiftOnSecurity I'm trying to get equifax to change their domain by spreading this site around: https://t.co/wIKBv2yBUh (give it a click)
— Nick Sweeting ? (@thesquashSH) September 8, 2017
To be extra clear, no form data is accepted on the site (the form points to localhost), it's not malicious in any way.
— Nick Sweeting ? (@thesquashSH) September 20, 2017
For its part, Equifax didn't offer much of an explanation for the error. Instead of admitting its own mistake and offering users an apology, a spokesperson simply reiterated that there's a real website users can use, though after this mix-up, consumers probably don't have much faith in the company any longer.
"All posts using the wrong link have been taken down," an Equifax spokesperson told Mashable. "To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion."
Read These Stories Next: