It keeps getting more complicated for Equifax.
The credit agency’s Twitter account tweeted links on Wednesday to a fake site pretending to be Equifax, further bungling the company’s response to a massive hack that affected 143 million customers.
Equifax, like many companies, handles customer service and complaints through its Twitter account. But in tweets replying to people asking for help and more information, it occasionally directed them to “securityequifax2017.com.”
The domain, designed to look like a phishing site, was set up to criticize how the company handled the situation.
The official account tweeted links to the same site multiple times since September 9, two days after the breach was first announced. The links have been deleted, but screenshots show it was not a one-time flub.
It’s easy to mistake the fake site for the real one: equifaxsecurity2017.com. The company created it earlier this month to share information on the major data breach.
Security experts criticized Equifax’s decision to use this domain and website because it looks a lot like a scam site. Soon after it launched, some browsers flagged it as a phishing site. Experts warned hackers could create similar websites and trick people into giving up personal information.
Related: What cybercriminals do with stolen Social Security numbers
And it appears even Equifax was duped by the fake site.
Nick Sweeting, a software engineer, is behind the fake Equifax security site. He created it within hours of the breach announcement to show how easily it is to impersonate the response website.
He told CNN Tech the move was a part of an effort to get Equifax to change the hosting to the company’s secure website.
“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” Sweeting said. “I can guarantee there are real malicious phishing versions already out there.”
Sweeting, who spent $10 to buy the domain, said it took 20 minutes to build a clone. He used a simple content retrieval tool, the wget computer program, to copy Equifax’s real website and host it on his own.
Sweeting said the site received around 2,000 hits over the last few days before it went viral on Twitter on Wednesday. He stressed that his site is not malicious and does not store user data.
“Their response to this incident leaves millions vulnerable to phishing attacks on copycat sites,” the fake website states.
Equifax did not respond to a request for comment.