SAN FRANCISCO — Equifax on Monday said another 2.5 million American consumers may have had their personal information stolen in the cyber attack it first disclosed on Sept. 7. That brings the total up to 145.5 million consumers potentially affected by the largest breach ever at a credit-reporting company.
If you worry you might be one of them, here are some steps you need to take.
First, you can go to the website Experian has set up to check if your information was stolen. It's available at www.trustedidpremier.com. There's also a number, 866-447-7559.
If your personal information was part of the breach, one of the first things victims are normally told to do is to go to a credit-reporting company and request their records to make sure that there are no unauthorized accounts or charges on their existing accounts.
While there is no evidence of unauthorized activity in the Equifax credit reporting databases, the company said that there was potential unauthorized access to information it had stored from mid-May through July 2017. The information included names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers.
Experts say the best defense is to freeze your credit. Detailed instructions are available here.
The hackers also got access to credit card numbers for roughly 209,000 consumers, plus certain dispute documents with personal identifying information for approximately 182,000 consumers, Equifax said.
In the wake of the breach, experts have these suggestions for staying secure:
BE EXTRA CAREFUL ABOUT EMAILS AND LINKS
Users should avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from Equifax or connected to the breach.
Equifax will send paper mail to consumers whose credit card numbers or dispute documents with personally identifying information were impacted. It has also created a dedicated website for consumers to see if they were affected at www.equifaxsecurity2017.com. They can also call the Equifax call center at 866-447-7559.
Hackers often use news of big breaches to conduct "phishing" campaigns, sending official-looking emails that make it seem as if the affected company or other legitimate services are asking them to supply information or click through to a link to repair any damage.
When in doubt, call or email the company that appears to be sending the message separately, don't go through the email you've been sent.
Especially if you typically use similar passwords and security questions on multiple accounts, do this. Once hackers have access to ID and password information for one system, they routinely try the same combination against multiple other platforms to see which ones work, an easily automated process.
ENABLE TWO-FACTOR AUTHENTICATION
For the vast majority of victims who didn’t have credit information compromised, the biggest risk here is that a criminal uses this information to answer your “security questions” and reset your password.
That usually sends a password reset to your email account, so making sure that email account is secure should be your primary concern, said Nathaniel Gleicher, head of cybersecurity strategy for Illumio, and former director of cybersecurity policy for the White House under President Obama.
Two-factor authentication keeps them from doing that by sending a text message or call to the user's phone with a code as a second verification step. The code which must be typed in before the account can be opened.
CHECK YOUR CREDIT CARD AND OTHER ACCOUNTS
Review your online accounts for suspicious activity. That includes banks, credit card companies and hotel and airline loyalty programs. Hackers frequently slice and dice information from large data breaches, selling groups of user information for specific companies on the dark web. Even the smallest accounts can be bundled together into a large group to be sold.