Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?

This is the third blog in the running series on the Equifax data breach.

  1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
  2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
  3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
  4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
  5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
  6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!

The fallout from the Equifax breach announcement from September 7th continues. As usual following a big data breach, we’re seeing a wide variety of commentary, speculation, and observations. Unfortunately, some of the statements appear to have little or no sources referenced and many are wild speculation at best. As always, read everything with a skeptical eye!

A day after the breach was announced, a furor arose as portions of Equifax’s TrustedID End User License Agreement (EULA) were highlighted. Specifically, one clause said that by enrolling in the TrustedID program after your personal information was leaked, you also waive your rights to sue Equifax or be part of any class-action suit. Given that the first class-action lawsuit is already filed, this puts people in a bad spot. Either they can opt into a program designed to help them manage the leak and never sue Equifax, or they can forgo the program and reserve the right to sue Equifax putting them at risk. These are not good options for those affected by the breach; they should have the right to do both. Image courtesy of @wyatt_privilege:


While this arbitration clause was included in the credit monitoring program, you apparently have the ability to opt out of the clause within 30 days. However, most people didn’t read far enough down to see the clause, let alone see the information about opting out. This serves as yet another reminder that while incredibly dull and sometimes difficult to read, EULAs are important and may severely impact you. Fortunately, by the time many heard about this arbitration clause, the public uproar prompted Equifax to change their minds.

What Happened to the Stolen Data?

After a data breach, one of the things that many are curious about is what did the criminals do with the data? In some cases, the data is posted publicly for all to enjoy to make a statement. Other times it is used to facilitate further criminal activity in order to make money. More recently, we’re seeing the criminals put the data up for auction as we did with the Shadow Brokers and their alleged National Security Agency (NSA) hack.

On September 8, Catalin Cimpanu noticed a Dark Web portal (badtouchyonqysm3.onion) was created that claimed to be selling the Equifax data:

According to Robert Hansen, the data was trading for 600 Bitcoin (USD $2,528,400.00) on the site.

Twitter user @real_1x0123, an ‘Underground Researcher’, appears to have found an Equifax host with shell access that shows access to several sub-domains. It is curious why they redacted two of the hosts, one of which is displayed in the browser tab title (ayuda.equifax.com). While not clear if this is proof of the compromise or sale of the data, if legitimate, should raise serious concerns for Equifax as their response to the breach may not be as complete as they think.


Jonathan Nichols spent a little time poking at the Dark Web site claiming to have the data and found a few misconfigurations that reveal information about the hosting provider and potential BTC Wallet ID. Despite all of the above, it is not clear if this claimed data is legitimate, and if so, truly being sold.

Biggest Breach Ever? Not Even Close!

As we are keen to point out, many media outlets and security companies like to make statements about topics they don’t specifically research, because any news is good news. In this case, Cylance has claimed the Equifax breach is “one of the biggest ever” and SC Media puts it as the fifth largest breach ever. While you can debate the “one of the biggest” comments, since that is more about perspective in the big picture, we can certainly say that SC Media is wrong. Even using SC Media’s list, you can see this isn’t even the largest Credit Bureau breach in history. Using Cyber Risk Analytics, which actually tracks data breach information to great detail, we can get a better picture of where Equifax ranks as far as pure record disclosure:


Of course, it is important to remember that just comparing the number of records doesn’t fairly compare the breaches. Losing millions of usernames and hashed passwords isn’t as severe as losing millions of credit histories for example.

The story continues with Equifax Breach: The Bigger Picture, Identity, Impact, and Advice.