This breach of personal data potentially affects a vast number of people in the US, UK and Canada. Here's how to find out if your identity is compromised.
Editor's note, Sept. 11, 2017: We recommend that anyone with a credit history assume they were affected by the hack, as Equifax's hack-checker tool proved unreliable in our tests. In addition, Equifax's credit-freeze website was also shown to be hackable, ZDNET reported.
Credit rating company Equifax revealed Sept. 7 that its databases had been hacked. Here's what we know and what you can do to protect yourself.
According to Equifax, which released a statement on Sept. 7, the company's database was breached through a vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada.
The company thinks the hack happened some time between mid-May and the end of July, but has only now announced the breach. That's all we know.
Equifax learned about the hack on July 29, according to an FAQ. However, Sept. 7 was the first day the company publicly announced the hack.
By exploiting Equifax website's vulnerability, the hackers were able to acquire names, Social Security numbers, birth dates, home addresses and some drivers' license information.
In addition, credit card numbers for an estimated 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed, according to the company.
If you were one of the fewer people whose credit card numbers or dispute documents were exposed, you'll receive postal mail letting you know you were affected. Otherwise, you'll need to use Equifax's website to find out if your data was exposed.
Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. It includes a tool that lets you check to see if you were affected and a program, Trusted ID, that may help prevent identity theft. But, be aware: the checker that lets you know if you were hacked might be broken and -- per the above note -- enrolling in the program might prevent you from participating in a class-action lawsuit against the company. Finally, on Sept. 11, ZDNET reported that Equifax's credit fraud alert sign-up site is vulnerable to hacking and has been left un-patched.
Because of these circumstances, we recommend that, for now, anyone with a credit history should assume they were affected by the hack. We also recommend supplementing Trusted ID with your own due diligence.
If you're willing to give Equifax a chance, you can sign up for Trusted ID here. The program isn't exactly straightforward, however -- it requires a multi-step process that takes place over the course of at least one week. Here's an overview of the process:
Step 1: Head to this enrollment page and click "Begin enrollment." Enter your last name and last six digits of your social security number and head to the next page. Several reporters at CNET have attempted this process and received two different results:
Step 2: If you received an enrollment date, write it down. Seriously, on paper (or, you know, Google Calendar). Equifax doesn't ask for your email address, so it won't remind you of your enrollment date.
Step 3: On (or after) your enrollment date, head to this page to continue the enrollment process. You have to complete the enrollment process by Nov. 21.
According to Equifax, those affected are enrolling in a free, one-year subscription TrustedID, which is an identity protection company owned and operated by Equifax. According to an Equifax representative we spoke to on the phone, the enrollment process won't ask for a credit card number, so the service won't automatically renew after one year. CNET hasn't been able to independently verify this, however.
Once you're enrolled, TrustedID will:
Once we have some hands-on time with Trusted ID, we'll update this story with more about how to use it.
You don't have to wait to enroll in Equifax's program to start protecting yourself right now. We put together a guide on what you can do, including this:
The purpose of the free TrustedID enrollment program is to help protect you from identity theft. What we don't know, however, is what happened during the months that Equifax didn't know about the breach (or was preparing to tell the public). Because this gap represents several months that personal data was exposed, we suggest taking extra care in protecting your identity and watching for signs of identity theft.
The FTC outlines some of the major signs of identity theft, including:
Addressing identity theft is a long and frustrating process that has no simple solution. To help those affected by identity theft, the FTC provides this step-by-step recovery program.
Editor's note: This story continues to be updated.