Summary
Between May and July 2017, attackers stole the personal data of about 147 million people from Equifax, one of the three big US credit bureaus: names, Social Security numbers, birth dates, addresses, and more. The whole catastrophe traced back to a single unpatched dependency. A critical remote-code-execution flaw in Apache Struts 2 (CVE-2017-5638) was patched on 6 March 2017 and Equifax was told to fix it within 48 hours, but the notice never reached the team that ran the affected portal, the scan meant to catch the gap looked in the wrong place, and the hole stayed open. Attackers confirmed they could break in within days; weeks later a separate intrusion quietly siphoned data for about 76 days, helped by a monitoring appliance that had gone blind because its certificate had expired and no one noticed. It remains the canonical lesson, and an uncomfortably on-brand one, that you cannot defend a dependency you do not know you are running, or watch a network you have gone blind to.
How it happened
The flaw itself was simple. CVE-2017-5638 let an attacker put a malicious expression in the Content-Type header of a web request and have the Apache Struts framework execute it: remote-code-execution from an unauthenticated HTTP request, about as bad as a web vulnerability gets. The Apache Software Foundation patched it on 6 March 2017, and on 8 March a US-CERT alert reached Equifax. The next day an internal email went out telling staff to patch within 48 hours.
It did not get patched, and the reason is almost mundane. The email's distribution list was out of date, so the people responsible for the affected system, an online portal where consumers dispute credit-report errors, never received it. A vulnerability scan run days later came back clean, because it never checked the directory where the vulnerable application actually ran. The hole stayed wide open.
On 10 March, attackers confirmed they could run commands on the portal, but took nothing yet. The real theft was a separate intrusion that began around 13 May. Once in, the attackers found a configuration file holding unencrypted credentials, used them to reach 48 unrelated databases, and ran roughly 9,000 queries, successfully locating unencrypted personal data 265 times, pulling it out in small encrypted chunks routed through 34 servers in nearly 20 countries to stay invisible. They had about 76 days, because the network appliance that decrypts and inspects outbound traffic had been useless for many months (by the congressional account, nineteen) after its certificate quietly expired. The day Equifax finally renewed that certificate, 29 July, the device immediately lit up with the suspicious traffic and the breach was found within hours. The detection worked the moment someone turned it back on.
The damage
The stolen data was the worst kind: about 147 million people's Social Security numbers, birth dates, and addresses, plus roughly 209,000 credit-card numbers and 182,000 dispute documents with attached identity records. A Social Security number cannot be rotated like a password; the exposure is effectively permanent. Equifax's CEO, CIO, and chief security officer all left in the aftermath, and one division's former CIO was later singled out and fired for failing to forward the patch email, a vivid example of blaming a person for what was a systems failure. Equifax spent well over a billion dollars on cleanup and agreed in 2019 to a settlement with the FTC, the CFPB, and the states worth up to about $700 million. In 2020 the US Department of Justice indicted four members of the Chinese military over the intrusion.
Why Equifax still matters
Equifax is the case we point to most, because it is the purest example of the problem we work on. Nothing exotic happened. There was no zero-day, no nation-state malware on the way in, no insider. There was a known-vulnerable component with a patch already available, a notice that reached the wrong inbox, a scan that looked in the wrong place, and unsegmented databases with no limit on how many an account could query, so one portal compromise reached 48 of them. The fixes are all process: keep a real software bill of materials, enforce a remediation clock on critical CVEs in internet-facing apps with verification it actually shipped, segment and rate-limit data access, and alert on the health of your own defences.
And it is a lesson that refuses to stick. Four years later Log4Shell showed the same dependency-everyone-was-running-and-forgot pattern at even greater scale, and the xz backdoor showed its supply-chain cousin. "Vulnerable and outdated components" is its own entry in the OWASP Top 10 because Equifax was not a one-off; it is the default failure mode of modern software.
How to fix it
- Patch or virtually patch the vulnerable component immediately, and confirm every instance is covered, not just the ones the inventory knew about.
- Renew and monitor the certificates your inspection and monitoring tools depend on, so detection never goes dark silently.
- Rotate credentials and keys reachable from the compromised application, and hunt for the data the attacker could read.
- Verify your vulnerability scanner actually detects the issue; Equifax's scan ran and still missed it.
How to avoid it
- Maintain a software bill of materials (SBOM) and continuously scan dependencies, so a critical CVE in a component like Struts is found the day it drops.
- Enforce a fast, tracked remediation SLA for critical RCEs in internet-facing apps, with verification (not just a notice email) that the fix shipped everywhere.
- Alert on the health of your own security controls (expired certs, dead sensors), so a blind spot pages someone.
- Segment databases and rate-limit queries so a single internet-facing app cannot reach 48 unrelated stores, and watch for large or unusual egress.
- Treat "use of a known-vulnerable component" as a release blocker, not a backlog item.
References
- https://www.gao.gov/assets/gao-18-559.pdf
- https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
- https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
- https://www.justice.gov/archives/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military
- https://news.apache.org/foundation/entry/media-alert-the-apache-software
Related vulnerabilities
All AppSec →- MEDIUMAPPSEC-SOURCEMAP-DISCLOSURE
A source map (.map) is a build artifact that maps minified bundle code back to the original source, and bundlers embed the full original code in its sourcesContent field. Left reachable in production or shipped inside a package, it hands anyone the unminified codebase, internal comments, hidden API endpoints, auth logic, and any secrets that were compiled in. Discovery is trivial: open DevTools and read the Sources tab, request the bundle's .map URL directly, or Google-dork for ext:map intext:webpack, then reconstruct the whole project with a tool like unwebpack-sourcemap. Passive scanners such as Acunetix and Burp already flag it as a standalone finding. It is usually rated medium on its own but escalates fast when the recovered source contains live credentials or undocumented endpoints; exposed Webpack source maps have leaked hardcoded Stripe secret keys that enabled unauthorized payments. High-profile cases include Apple's App Store web front-end in November 2025, shipped with source maps still enabled, and Anthropic's Claude Code, whose entire TypeScript source leaked via a source map left in a published npm package in March 2026.
- HIGHAPPSEC-RACE-TOCTOU
A business-logic race condition exploits the brief window between a check on shared state and the act that mutates it (time-of-check to time-of-use), letting concurrent requests each pass the same check before any of them commits, so a limited resource is consumed more times than allowed (OWASP API6:2023, Unrestricted Access to Sensitive Business Flows). The vulnerable code is any check-then-act sequence on shared state without atomic database-level locking: validate a single-use coupon or gift card then redeem it, check a balance then withdraw or transfer, or verify a one-per-user limit then grant. Firing many near-simultaneous requests collapses the state machine and redeems one coupon multiple times, withdraws the same balance twice, or bypasses a per-user cap. James Kettle's 'Smashing the state machine: the true potential of web race conditions' (PortSwigger, published 9 August 2023, presented at Black Hat USA and DEF CON 31) introduced the single-packet attack, which withholds the final HTTP/2 frames of 20-30 requests and releases them in one TCP packet, neutralizing network jitter and squeezing arrivals into a sub-millisecond window so the race becomes reliably exploitable.
- HIGHAPPSEC-GRAPHQL-ABUSE
GraphQL servers expose three abuse primitives stemming from the query language's flexibility. Leaving introspection enabled lets any client send a __schema query and recover the entire type system, including internal admin mutations and deprecated fields, providing a map of the attack surface (OWASP API8/API2). Because per-request rate limiters count one HTTP request regardless of operations inside it, an attacker can use field aliasing (e.g. attempt0:login(...), attempt1:login(...)) or array batching to pack dozens of login or verifyOtp mutations into a single request, brute-forcing credentials or short OTP/2FA codes while the rate limiter sees only one request; this aliasing-bypass technique is reproduced in the PortSwigger Web Security Academy 'Bypassing GraphQL brute force protections' lab and Wallarm's GraphQL batching research. Deeply nested or recursive queries cause an exponential explosion of resolver and database calls, exhausting CPU, memory and connection pools for denial of service, the core of OWASP API4:2023 Unrestricted Resource Consumption. HackerOne has disclosed a real GraphQL authentication-bypass finding, and Apollo Server v4 disabled array batching by default in response to these attacks.
- CRITICALAPPSEC-NOAUTH-2023
nOAuth, disclosed by Descope's security team on June 20, 2023 (reported to Microsoft on April 11, 2023), is a cross-tenant account-takeover class in multi-tenant Microsoft Entra ID (Azure AD) OAuth applications, mapping to OWASP API2:2023 Broken Authentication. The flaw existed because Entra ID emitted an 'email' claim in the OIDC token that was both mutable and unverified, while applications used that email rather than the immutable 'sub'/'oid' claim to identify and link the signed-in user. An attacker who controlled their own Entra tenant could set the email attribute of an attacker account to a victim's email address, then use 'Log in with Microsoft' against any vulnerable app; the app merged accounts by the spoofed email and granted full control of the victim's account, requiring no interaction from the victim. Descope confirmed real exposure in major SaaS apps including a design platform with millions of monthly users. Microsoft mitigated by no longer emitting unverified email claims by default for app registrations created after June 2023 and added the xms_edov claim and a RemoveUnverifiedEmailClaim flag.
- HIGHAPPSEC-TMOBILE-API-2023
On January 19, 2023 T-Mobile disclosed in an SEC 8-K filing that an attacker had abused a single API to obtain data on roughly 37 million current postpaid and prepaid customer accounts, with access beginning on or around November 25, 2022 and continuing about six weeks until detection on January 5, 2023 and cutoff a day later. The exposed fields included names, billing addresses, emails, phone numbers, dates of birth, account numbers, and plan features; T-Mobile stated no passwords, payment card data, Social Security numbers, or government IDs were taken. T-Mobile only stated that a bad actor obtained data through a single API without authorization, without publishing the low-level mechanism; the security-community consensus reconstruction is Broken Object Level Authorization (BOLA/IDOR), where the API returned per-customer records without verifying the caller was authorized for that specific object, letting the attacker walk through customer identifiers at scale. The mechanism maps to BOLA via a user-controlled key, or, if the endpoint lacked authorization entirely, to missing authorization.
- CRITICALAPPSEC-AUTO-API-2023
On January 3, 2023 Sam Curry and a team of researchers published Web Hackers vs. The Auto Industry, documenting critical API authorization flaws across about 16 automakers including Kia, Hyundai, Honda, Nissan, Acura, Infiniti, BMW, Ferrari, Porsche, Rolls Royce and Mercedes-Benz, plus telematics providers such as SiriusXM Connected Vehicle Services and Spireon. The connected-car APIs treated the VIN, which is visible through the windshield and effectively public, as an object identifier without verifying the caller actually owned the vehicle, a Broken Object Level Authorization flaw. Using only a target VIN, researchers could enroll a vehicle to an attacker account or bypass ownership checks and then remotely unlock, start, locate, honk, and track vehicles, achieving full account takeover. Several manufacturers also had Broken Function Level Authorization and misconfigured SSO/OTP endpoints exposing internal dealer portals. The work maps to OWASP API1:2023 (BOLA) and API5:2023 (BFLA).