Equifax data breach: Hackers stole data of over 200,000 credit cards 'in one fell swoop' in May

Security researchers have discovered that the historic Equifax data breach disclosed last week may have seen more than just the theft of highly-valuable credit and financial data. Security expert Brian Krebs reports that hackers also stole more than 200,000 Mastercard and Visa credit card accounts in the massive breach.

Visa and Mastercard have sent confidential notifications to financial institutions across the US warning them of possible credit card theft as a result of the breach. Krebs noted that while it is unusual for these alerts to specify the company from which the accounts are suspected to have been pilfered, both Visa and Mastercard specifically referred to Equifax as the source of the payment card breach.

According to reports, the alerts from both the companies stated that the cards were likely stolen between 10 November, 2016 and 6 July, 2017. Visa said the compromised data included the cardholders' names, card account numbers and expiration dates.

Last week, Equifax revealed that it had suffered a major breach that compromised highly-valuable financial data of about 143 million Americans, including names, social security numbers, dates of birth and addresses. The intrusion, one of the largest-known breaches in history, occurred between mid-May and July, Equifax said.

The company claimed it learned about the hack on 29 July, but only disclosed it more than a month later on 7 September.

In a statement to Krebs, Equifax said that the threat actors downloaded the credit card data "in one fell swoop" from the company's transaction history in mid-May.

"The attacker accessed a storage table that contained historical credit card transaction-related information," the company said. "The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017."

Equifax did not offer details about how the credit card data was being stored or why only the data collected from customers after November 2016 was exposed in the hack, Krebs reported.

This week, Equifax confirmed that hackers exploited a months-old, unpatched web server vulnerability called Apache Struts CVE-2017-5638 to carry out the attack.

Since the disclosure, the company has been hit with at least 30 lawsuits and is currently being investigated by some US states and the Congress. Lawmakers have demanded that Equifax provide more details regarding the timeline of the breach, its decision to delay the announcement and the three executives who sold stock just days after the firm learned of the breach, but before it was publicly disclosed.

"We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement," Equifax said.

Equifax CEO Richard Smith is expected to testify in a hearing to explain the company's handling of the hack.