In a follow-up statement shared with KrebsOnSecurity this afternoon, however, Equifax said the problem stemmed from a "third-party vendor that Equifax uses to collect website performance data", and that "the vendor's code running on an Equifax Web site was serving malicious content". Tech experts believe the credit monitoring firm may have discovered the hack on their own and removed the fake software however, Equifax did not respond to media requests for comment on the incident.
Several hours after Goodin's piece went live, Equifax disabled the page in question, saying it was doing so out of "an abundance of caution" while it investigated the claims.
Carroll said in an emailed statement that, "We are aware of the situation identified on the equifax.com website in the credit report assistance link".
Having already leaked the personal information of half the people in the entire United States, you might think things have gotten pretty much as bad as they can get for Equifax. "When it becomes available or we have more information to share, we will".
Since news of Equifax's massive data breach broke last month, the company is facing investigations in Canada and the US, as well as at least two proposed class actions filed in Canada.
Equifax has also said a file containing names and birthdates of 15.2 million people in the United Kingdom were accessed. In many cases, even more personal data was exposed, including driver's license and credit card numbers.
The breach was first noticed by Randy Abrams, an independent security analyst that had been visiting the site to flag fraudulent activity on his credit report.
- With files from The Associated Press.