The complete guide to the Equifax breach

We’re exhausted too.
We’re exhausted too.
Image: Reuters/Stringer
We may earn a commission from links on this page.

Every day brings new details—and questions—about the Equifax breach that exposed the personal information of millions of customers to hackers. It can be hard to keep up with the firehose of information; that’s where we come in.

Here’s everything you need to know about what’s going on, and what exactly you should be doing to deal with it.

Equifax is a credit agency. 


Equifax is one of three major credit reporting agencies (CRAs) in the US. The other two are TransUnion and Experian. These agencies maintain records on all Americans’ credit history by gathering data from firms that issue credit, such as credit card companies, banks, and credit unions.

They were hacked. 


On Sept. 7, Equifax reported that hackers had exploited a vulnerability in its US website application to gain access to certain files from mid-May through July 2017.

Roughly 145.5 million US customers could be affected. 


The hackers accessed personal data, including Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. They also stole credit card numbers (at least) for approximately 209,000 US consumers, as well as dispute documents—used to dispute errors on credit reports—with personal identifying information for approximately 182,000 US consumers. Some UK and Canadian residents may have also had personal data compromised.

If you’re in the US, you were probably affected! 


If you are an American citizen or US resident and you have ever applied for credit, you could have been affected by the breach, according to the Identity Theft Resource Center. (After all, 143 million people represents 44% of the US population.) Says ITRC: “The breach may also impact minor children whose parents have submitted documentation to the CRAs for the purposes of checking on or protecting their credit information, even if a credit report or score was never established.”

Equifax knew about the hack more than a month before they reported it. 


You read that right. The company discovered the breach on July 29 and chose not to publicly disclose it until last week. Adding insult to injury, three Equifax executives sold nearly $2 million in company stock before the announcement. The company maintains that its executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

Perhaps unsurprisingly, Equifax is now under federal investigation. On Friday, Dow Jones reported that two of its security and information executives are retiring, effective immediately.

Equifax set up a site for potential victims. 


The company established a website to help consumers find out whether their data had been compromised; it also offered them the opportunity to sign up for credit-file monitoring and identity-theft protection.

People weren’t happy. 


When the Equifax recovery site first launch, it included a clause stating that anyone signing up for protective services waived their rights to participate in any class-action lawsuits against the company. After intense public and media outcry, the company eventually removed the clause.

There are things potential victims should do. 


Again, if you are an American citizen or US resident who has applied for credit, this applies to you! Here is a quickie version of Quartz’s guide to navigating the fallout.

  1. Check your credit report for unauthorized activity. You can get free reports for all three CRAs at Follow up with the credit issuers immediately if anything looks suspicious.
  2. Freeze your credit with each CRA using the websites and phone numbers below. This will prevent people from opening new lines of credit with your identity, although it does not protect your currently open lines of credit.
    Equifax: 1-800-349-9960
    Experian: 1‑888‑397‑3742
    TransUnion: 1-888-909-8872
  3. Set up a fraud alert. You only need to contact one CRA to do this. Once in place, an alert requires the agency to verify your identity anytime you or someone else tries to open an account. You’ll need to renew it after 90 days.

You definitely shouldn’t do nothing. 


ITRC CEO Eva Casey Velasquez says that taking a wait-and-see approach could be hugely detrimental. Credit fraud can take weeks to resolve, at best; at worst, it can take years. That hassle far outweighs the inconvenience of having a temporary (or even permanent) credit freeze.

Having your SSN stolen also puts you at risk for criminal, medical, and even government benefits and documents fraud, Velasquez says. To avoid tax fraud, file early.

(You can read more of Velasquez’s advice here.)

The hack is one of 23 so far this year. 


By Wired’s count, there have been 23 cyberattacks in 2017, ranging from a Verizon server vulnerability that left the phone numbers, names, and pin codes of 6 million customers exposed to a malware attack on Chipotle’s payment systems that accessed US customers’ payment card data.

The hacks are exposing fundamental issues with how the US handles privacy. 


“Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era,” Wired noted in a story this week. “And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change.”

Many experts are now calling for a complete revamp of the SSN system, or even eliminating it entirely.

Updated (Oct. 4, 2017): Equifax announced on Oct. 2 that the total number of consumers affected has risen to 145.5 million. We have updated the story.