Credit rating firm Equifax has mistakenly directed some customers to an imposter website via its Twitter page, security researchers say.
The firm recently disclosed a data breach affecting more than 143 million people, and set up a new website to share information with customers.
But it mistakenly tweeted the wrong web address several times, leading some customers to a fake website.
One security researcher told the BBC it was a “massive faux-pas”.
Following its data breach, Equifax set up a new website – equifaxsecurity2017.com – to let people find out more information.
The website also let people register for a credit monitoring service, by entering personal details into a form.
Many security researchers said Equifax should have hosted this information on its main website – equifax.com – rather than setting up a new one.
They pointed out that the new web address looked like one a scammer might set up to try to fool victims.
Security researcher Nick Sweeting tweeted: “Yeah… no thanks… it would take me literally 20 mins to build a clone of this site.”
He then did exactly that, creating an almost identical version of the website at securityequifax2017.com.
His fake version of the website also let people fill in their personal information – but then told them they had been “bamboozled”.
Staff operating the Equifax twitter feed shared the fake website with customers several times.
The BBC has contacted Equifax about the mistake but the company has yet to respond.
“Clearly, the social media team has not been thoroughly briefed,” said Ken Munro from the security firm Pen Test Partners.
“That’s a massive faux-pas, they should not be pointing people to a website that is not the real one.
“They are lucky the person behind it was a well-intentioned security researcher, it could easily have been somebody harvesting credentials.”
Criminals often use a widely-publicised data breach to try and fool victims into handing over more of their personal data.
“People have to be careful after a data breach. Hackers often email victims trying to spoof the affected organisations,” said Mr Munro.
“You might get phone calls from people pretending to be from the support team. We see this all the time – be on your guard.”