Security

Equifax's hack checker is a hot mess -- here's what to do

Equifax's hack checker needs to be checked.

screen-shot-2017-09-08-at-4-04-07-pm

Sharon Profis/CNET

From the time Equifax discovered its database was breached to the day it publicly announced the hack, six weeks passed. The company was likely preparing for one of the worst data breaches in American history, including the creation of a tool that lets anyone find out if they were affected by the hack. 

That tool, however, might need a check of its own. 

The way it works is: You enter your last name and the last six digits of your social security number. Then, Equifax gives you one of two results: 

  • Equifax will let you know that you may have been impacted.
  • Equifax will let you know you were not impacted.

Something is not quite right with the results, though, as ZDNET's Zack Whittaker discovered. The tool provides random results, even for fictional names and social security numbers. I tested this myself with the last name "Hellomoto" and a random string of digits. Turns out that the person with the last name Hellomoto was not impacted. 

Another Twitter user tried a random combination, which returned results of a possible impact. 

Is Equifax's tool completely useless? The random results suggest that it can't be fully trusted, as it doesn't return errors for bogus entries and, in some cases, confirms that made-up people were affected. Equifax has already revised its tool once to provide more clear results (it previously didn't explicitly tell users they were impacted) but could be further improved -- or fixed. 

At this point, we suggest that any person with a credit history take action as if they were affected. That means watching out for signs of identity theft and taking further precautions, such as freezing your credit and setting fraud alerts. Here's our complete guide to how to handle the situation.

We have reached out to Equifax for comment and have not yet heard back. 

Editor's note, Sept. 9: Revised to reflect that Equifax made changes to its tool, but didn't address the bogus entry issue. Further clarified what happens when bogus entries are used in the tool.