Beleaguered credit agency Equifax tweeted a link to a would-be phishing site to a victim of its massive breach rather than the breach information site it intended.
The exchange happened Monday evening when a current customer of Equifax's credit monitoring service TrustedID asked if he could cancel that subscription in exchange for the free year of TrustedID offered to victims.
"Hi! For more information about the product and enrollment, please visit: [the url of the fake site] -Tim," tweeted Equifax from its official account.
Equifax apparently intended to send a link to equifaxsecurity2017.com, the site with information on how to sign up for TrustedID. Instead, the tweet rewrote equifaxsecurity2017 as securityequifax2017.
The securityequifax2017 web address had already been registered by security researcher Nick Sweeting, who scooped up the site to prevent a scam artist from using it to trick potential victims into entering their information, thinking they were communicating with Equifax.
Experts typically suggest that companies host sites like equifaxsecurity2017.com under their domain names — in this case, equifax.com — to assure users they are not giving information to a fake site.
The tweet stayed up into Wednesday, but by Wednesday afternoon the incorrect tweet had been taken down and Equifax issued a statement apologizing for the incident.