Equifax's hack checker is a hot mess -- here's what to do

Equifax's hack checker needs to be checked.

Sharon Profis Vice President of Content, CNET Studios
As the Vice President of CNET Studios, Sharon leads the video, social, editorial design, and branded content teams. Before this role, Sharon led content development and launched new verticals for CNET, including Wellness, Money, and How To. A tech expert herself, she's reviewed and covered countless products, hosted hundreds of videos, and appeared on shows like Good Morning America, CBS Mornings, and the Today Show. An industry expert, Sharon is a recurring Best of Beauty Awards judge for Allure. Sharon is an avid chef and hosts the cooking segment 'Farm to Fork' on PBS nationwide. She's developed and published hundreds of recipes.
  • Webby Award ("How To, Explainer, and DIY Video"); Folio Changemaker Award, 2020
Sharon Profis
2 min read
Sharon Profis/CNET

From the time Equifax discovered its database was breached to the day it publicly announced the hack, six weeks passed. The company was likely preparing for one of the worst data breaches in American history, including the creation of a tool that lets anyone find out if they were affected by the hack. 

That tool, however, might need a check of its own. 

The way it works is: You enter your last name and the last six digits of your social security number. Then, Equifax gives you one of two results: 

  • Equifax will let you know that you may have been impacted.
  • Equifax will let you know you were not impacted.

Something is not quite right with the results, though, as ZDNET's Zack Whittaker discovered. The tool provides random results, even for fictional names and social security numbers. I tested this myself with the last name "Hellomoto" and a random string of digits. Turns out that the person with the last name Hellomoto was not impacted. 

Another Twitter user tried a random combination, which returned results of a possible impact. 

Is Equifax's tool completely useless? The random results suggest that it can't be fully trusted, as it doesn't return errors for bogus entries and, in some cases, confirms that made-up people were affected. Equifax has already revised its tool once to provide more clear results (it previously didn't explicitly tell users they were impacted) but could be further improved -- or fixed. 

At this point, we suggest that any person with a credit history take action as if they were affected. That means watching out for signs of identity theft and taking further precautions, such as freezing your credit and setting fraud alerts. Here's our complete guide to how to handle the situation.

We have reached out to Equifax for comment and have not yet heard back. 

Editor's note, Sept. 9: Revised to reflect that Equifax made changes to its tool, but didn't address the bogus entry issue. Further clarified what happens when bogus entries are used in the tool.