An engineer changed his Expersian account at Experian with a strong password in 2020 to place a security freeze on a credit file. Two years later he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian. In order to prevent another account compromise in the future Experian lacks multi-factor authentication options on consumer accounts.