(Adds details on share price, legislation, previous FTC dealings with company)
WASHINGTON, Sept 14 (Reuters) - The U.S. Federal Trade Commission said on Thursday it was investigating Equifax Inc's massive data breach, a rare public confirmation, as a top Democrat suggested the credit-monitoring company's corporate leaders might need to resign.
Senate Democratic Leader Chuck Schumer also compared Equifax to Enron, a U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud.
"It's one of the most egregious examples of corporate malfeasances since Enron," Schumer said, calling Equifax's treatment of consumers afterward "disgusting" and its inability to protect data "deeply troubling."
Equifax shares have lost about a third of their value since the breach was disclosed last week. The stock hit a nearly two-year low earlier on Thursday and was down 3.5 percent at $95.62 in the afternoon after the company confirmed that a fixable web server vulnerability was exploited in the hack.
"The FTC typically does not comment on ongoing investigations," spokesman Peter Kaplan said in a brief email statement. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
Schumer said Equifax's chief executive officer and board might need to resign if the company does not take concrete steps within the next week to protect consumers and agree to testify before lawmakers and federal regulators.
"We need to get to the bottom of this - the very bottom, the murky bottom, the dirty bottom," he added.
Equifax CEO Richard Smith has agreed to testify on Oct. 3 before a U.S. House of Representatives panel, the company said Thursday.
The FBI has opened an investigation into the breach, and nearly 40 states have joined a probe of Equifax's handling of the situation.
Also on Thursday, at least three bills were introduced in response to the hack. Four Democratic senators, including Ed Markey of Massachusetts, sponsored legislation that would require Equifax and other data brokers be held accountable for errors.
"This bill requires data brokers to put in place comprehensive privacy and data security programs so that consumers in Massachusetts and throughout the country do not experience another Equifax," Markey said.
Confirming what many cyber security experts expected, Equifax said late on Wednesday that hackers used a flaw in its open-source Struts software, distributed by the nonprofit Apache Software Foundation, to break into its systems. A patch for the vulnerability was issued in March, two months before Equifax said hackers began siphoning data.
Equifax representatives did not immediately respond to requests for comment on the FTC probe.
The company has tangled with the FTC at least once over consumers' efforts to correct errors in credit reports. In 2012, it settled FTC allegations that it had improperly sold data on consumers who were behind on their mortgages.
Equifax disclosed the breach on Sept. 7, saying thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever. It learned of the hacking on July 29. (Reporting by Dustin Volz, Susan Heavey, Diane Bartz, Jim Finkle, David Shepardson and Dan Burns; Editing by Jeffrey Benkoe and Lisa Von Ahn)