Equifax has confirmed that a months-old web server vulnerability exploited by hackers led to the massive data breach that exposed the personal financial information of about 143 million American customers.
In a progress report published on Wednesday (13 September), the credit reporting firm said threat actors managed to exploit Apache Struts CVE-2017-5638, a flaw that was first identified back in March this year.
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," the company said. "We know that criminals exploited a U.S. website application vulnerability.
"We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."
Patches for the critical flaw in the Apache Struts framework were made available a few days after it was first revealed in March.
However, Equifax said last week that it was compromised between mid-May and July, strongly suggesting that the firm failed to update its Web applications.
The breach, that was made public last week, saw the theft of a trove of consumers' valuable personal and financial data including their names, Social Security numbers, birth dates, addresses and driver's licence numbers. Although the company learned about the breach on 29 July, it was only revealed after over a month on 7 September.
The massive hack is one of the largest in US history and the biggest known leak this year so far.
Equifax has also come under intense scrutiny following the disclosure with almost 40 US states joining an investigation into the breach along with the United States Congress. Lawmakers have also demanded more information from the company regarding the scope, timeline and circumstances surrounding the hack.
The company has already been hit with more than 30 lawsuits filed in the US in the wake of the disclosure.
Senator Orrin Hatch, chairman of the Senate Finance Committee has also asked the firm to provide information regarding when the company's management and board members were informed about the attack, including the three top executives who sold shares worth nearly $1.8m (£1.36m) just three days after the breach was first discovered.
The company has denied the executives illegally sold their shares based on insider information.
Equifax's chief executive Richard Smith is expected to testify before a House of Representatives panel on 3 October regarding the breach and the company's decision to delay disclosing it.