The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability, company officials said Thursday.

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers.

The disclosure suggests that Equifax failed to update its Web applications, despite demonstrable proof the bug gave real-world attackers an easy way to take control of sensitive sites.

Equifax Chief Executive Richard Smith is expected to testify before a U.S. House of Representatives panel on Oct. 3 after nearly 40 states joined a probe of the company's handling of the breach.

The Federal Trade Commission on Thursday said it has opened an investigation into the data breach at Equifax.

Apache Struts is a framework for developing Java-based apps that run both front-end and back-end Web servers. It's relied on heavily by banks, government agencies, large Internet companies, and Fortune 500 companies.