Security

Equifax hackers possibly pilfered 200,000 credit cards at once

Visa and Mastercard have reportedly warned US financial institutions that hundreds of thousands of credit cards were stolen in the massive breach.

The Equifax breach involves millions of stolen Social Security numbers, birth dates and addresses, and hundreds of thousands of credit card numbers.

James Martin/CNET

It's thought that millions of people's Social Security numbers, birth dates and addresses were stolen by hackers after the Equifax breach, so why not throw in credit cards too?

The latest news about the massive hack is that more than 200,000 Mastercard and Visa credit card accounts were reportedly stolen in one swoop, according to security expert Brian Krebs. Apparently, Visa and Mastercard have sent confidential alerts to financial institutions across the US warning them of the possible theft due to the breach. And Equifax has reportedly said the cards were all stolen at the same time.

As many as 143 million people are thought to have been affected by the Equifax hack. That's nearly half the US population. The breach is particularly potent because Equifax, a credit reporting firm, holds such a large amount of people's sensitive information. It's among the largest hacks in US history and the biggest known leak of 2017. In 2013, Yahoo is said to have lost data on roughly a record 1 billion accounts.

Equifax learned about the breach on July 29 but didn't reveal it for more than a month. The firm already said that hackers stole the credit card numbers of about 209,000 people and also got documents with personal information on 182,000 victims. But until now, credit card companies have been mostly quiet about the breach.   

Though Visa and Mastercard commonly tell possible victims and institutions their cards may be compromised, it's unusual for the companies to reveal what firm they think the accounts were stolen from.

"The notification referenced is a normal communication with our issuers in these types of situations," a Mastercard spokesman said in an email, adding that its customers are not responsible for any fraudulent purchases and their accounts are protected by Mastercard.

In its alert, Visa reportedly said the credit card accounts may have been stolen sometime between Nov. 10, 2016, and July 6, 2017, according to Krebs. Equifax, however, reportedly says the accounts were stolen all at the same time in mid-May 2017.

"The attacker accessed a storage table that contained historical credit card transaction related information," Equifax said, according to Krebs. "The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017."

Visa declined to comment and Equifax didn't respond to a request for comment.

First published Sept. 14, 12:59 p.m. PT.
Update, 4:05 p.m. PT: Adds comment from Mastercard.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.