The credit scores of millions of Americans were exposed online when a lender abused an API owned by credit reporting agency Experian. As Krebs first reported on security, independent security scholar Bill Demirkapi was researching online student loan dealers when he discovered that he could easily get your Experian credit score by simply not entering some of the information typically precise to do it. Demirkapi was in a place that offered to check his eligibility for the loan simply by entering his name, address and date of birth. In general, when using a credit monitoring service, Americans must also manage their Social Security number to access their credit scores. After managing the accurate information, Demirkapi took a look at the code at the lender's place, and that's when he discovered that the company had invoked Experian's API. He further elaborated on the relevance of his discovery in a security statement to Krebs, saying: “No one should be able to run an Experian credit check with only publicly available information. Experian must enforce non-public information for promotional requests; otherwise, an attacker finding a single vulnerability in a vendor could simply abuse Experian's system. "