Not exactly. Equifax has hardcoded references to an akamai cache of a domain (hints.netflame.cc) in their own pages[1].
That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.
Equifax should be responsible for what 3rd party domains it is referencing in their pages.
The script they hosted was legitimate. The Akamai content that it loaded, was legitimate. But Fireclick let the domain lapse, and someone else is now impersonating them and serving malware, and not just to Equifax, either. Why is the story "Equifax hacked again" instead of "Akamai serving content from known spammer site"?
I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably years ago. So Equifax's part was not having some mechanism in place to remove 3rd party references for 3rd parties that aren't delivering anymore. I strongly suspect that predated the change in ownership of the domain, which was almost a year ago. The fireclick.com domain is gone. The parent company (Digital River) doesn't mention offering any kind of analytics service.
So, yes, technically the vector wasn't directly an Equifax server. But it was only a vector because nobody removed the reference.
Right now, they also reference crazyegg.com in their pages. If crazyegg goes belly up, the domain will be dormant, and when it expires, somebody might take it over. Does Equifax have an onus to deal with that, or can they blame someone else?
I don't know, how can you reasonably defend from that sort of domain hijacking/repurposing? We fundamentally have to trust DNS at some level, but domain names are somewhat transient in nature. Is it fair to single out Equifax here, or is this just an example of an unsolved problem in the industry?
Somebody used to log into the backend that showed them the statistics. Surely they noticed when it disappeared?
Security scans also usually include breakdowns of 3rd party stuff.
But yes, there's ways it could go wrong. On the other hand, Equifax is one of very few places that has so much important data. I'd expect them to be leaders in this space, not lackluster followers. Subresource integrity, perhaps more due diligence on partners...stick with bigger players for code that shows up on your site, etc.
I'd have to guess that someone cancelled the analytics at the business level, but never bothered to write up a change request to tell the devs to take it out.
That domain was owned by Fireclick (né Digital River) at one time, but changed ownership on November 15, 2016. The current owner is a Thai national using a personal Gmail address as the registration info.
Equifax should be responsible for what 3rd party domains it is referencing in their pages.
[1]https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js