The Equifax data breach is already unnerving thanks to the sheer scale of sensitive data involved, but it's not helped by the credit reporting agency's initial response. Clients have discovered that the PIN codes Equifax is handing out to help lock your credit report (so a thief can't open a line of credit in your name) are generated by the date and time you made the request. An attacker could determine your code simply through brute force, especially if they have an idea as to when you locked your report.
For its part, Equifax is improving its approach relatively quickly. The company tells Ars Technica that it's moving to a randomized PIN generation system within a day of this writing (no later than September 12th), and that you can always change your existing PIN. We've asked the company for more details as well. However, it's safe to say that the security flaw is more than a little embarrassing for Equifax. Right now, the company is scrambling to limit the damage to 143 million Americans -- the last thing it needs is to create another opportunity for identity theft.
OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.
— Tony Webster (@webster) September 9, 2017