Scores of accounts on Equifax's website in Argentina allegedly were protected by the same generic username and password: "admin."
Researchers at Hold Security, a Milwaukee-based cybersecurity firm, found that after some guesswork, they were able to uncover personal employee information housed on Equifax's South American site, including names, emails, and Social Security equivalents of over 100 individuals.
The researchers easily acquired administrative access and quickly discovered consumer complaint records, complete with the Argentine equivalent of Social Security numbers, known as Documento Nacional de Identidad (National Identity Document).
"You don't expect anything like that," said Alex Holden, Hold Security's chief information security officer. "An ability to lookup cases for individuals based on a single numeric ID and gender drew our attention."
The research came as Equifax sank deeper into a controversy over its handling of a data breach that could affect 143 million people.
The credit reporting company is now facing multiple investigations. In a rare public acknowledgement, the Federal Trade Commission announced Thursday that it has opened a probe into Equifax's breach in the United States.
What Hold Security found is not related to the breach in the U.S., which Equifax disclosed last week. But Equifax promptly shut down the website after the research was made public by a security blogger named Brian Krebs.
In a statement to CNBC on Thursday, Equifax said:
"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week. We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions."
"What I can tell you is that we fixed the vulnerability immediately upon learning of it, and that this internal portal has not been in use since 2013. The Argentine consumer dispute information that was mentioned in the Krebs article is all publicly available, searchable and not confidential. Additionally, our consumer credit and commercial databases were not accessed or affected."
Since it announced the U.S. data breach last Thursday, Equifax shares have fallen more than 30 percent through Wednesday's close. But that's just the beginning of Equifax's woes.
The FTC's spokesman, Peter Kaplan, said Thursday, "In light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
In addition, Massachusetts announced plans Wednesday to file a lawsuit, which will maintain that the company failed to adopt appropriate safeguards to protect the sensitive data. New York, Illinois, Pennsylvania and Connecticut and other states are also investigating, while nearly two dozen class-action lawsuits have already been filed.
Massachusetts Attorney General Maura Healey said Tuesday the Equifax breach "may be the most brazen failure to protect consumer data" her office has seen. Eric Schneiderman, New York's attorney general, warned people to be vigilant about hacking, email and other online attacks.
The disclosure of the U.S. data breach prompted Holden to take a look at Equifax's web security outside the U.S., he said. After first exploring the Argentine website, which initially required a national identification number, the researchers arrived at a different login interface after shortening the site's URL.
"We put in admin, admin [as credentials] and to our surprise we were in," he continued.
"We obviously did not state that there was a breach. We highlighted a horrendous security practice which, perhaps, was indicative of the overall data care that led to the breach in the US. But in my professional opinion, if any hacker would look at this part of the website, it would be breached," Holden told CNBC.
After making the initial discovery, Holden turned to security researcher Brian Krebs to assess his findings.
"Worse still," Krebs said, "each employee's username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee's last name, you also could work out their password for this credit dispute portal quite easily."
ICYMI, Equifax forced to pull offline a huge database of consumer data guarded only by credentials "admin/admin"
Krebs is a widely followed blogger on security issues. "I don't have much advice for Argentinians whose data may have been exposed by sloppy security at Equifax," he said in a blog post on Tuesday. "But I have urged my fellow Americans to assume their SSN and other personal data was compromised."