Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably years ago. So Equifax's part was not having some mechanism in place to remove 3rd party references for 3rd parties that aren't delivering anymore. I strongly suspect that predated the change in ownership of the domain, which was almost a year ago. The fireclick.com domain is gone. The parent company (Digital River) doesn't mention offering any kind of analytics service.

So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.

Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?



I don't know, how can you reasonably defend from that sort of domain hijacking/repurposing? We fundamentally have to trust DNS at some level, but domain names are somewhat transient in nature. Is it fair to single out Equifax here, or is this just an example of an unsolved problem in the industry?


Somebody used to log into the backend that showed them the statistics. Surely they noticed when it disappeared?

Security scans also usually include breakdowns of 3rd party stuff.

But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.


I'd have to guess that someone cancelled the analytics at the business level, but never bothered to write up a change request to tell the devs to take it out.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: