Here’s an uncomfortable question: has a stranger ever had your Social Security Number, your full name, your date of birth, and your home address — all at once?

If you’re an American adult, the answer is probably yes. You just might not know it.

In 2017, one of the three major U.S. credit bureaus — Equifax — was hacked. Criminals made off with the personal information of 147 million Americans. That’s roughly half the adult population of the United States. Not passwords. Not credit card numbers. The really sensitive stuff: Social Security Numbers, birth dates, home addresses, and in many cases, driver’s license numbers.

And Equifax had no idea it was happening for 78 days.

How Did It Happen?

Here’s the maddening part. The vulnerability that allowed the breach had been publicly identified and a fix had been made available two months before the attack. Equifax simply hadn’t installed the update.

That’s it. The digital equivalent of leaving your front door wide open after the locksmith had already sent you a new lock and you just never got around to putting it on.

Hackers exploited that unpatched vulnerability, got inside Equifax’s systems, and spent weeks quietly siphoning data — more than 145 GB of it — before anyone noticed. When Equifax finally discovered the breach in July 2017, the theft had already been happening since mid-May. They didn’t publicly disclose it until September 7, 2017.

Why Should You Still Care — Years Later?

This is where a lot of people tune out. “That was years ago. Old news.”

Not quite. Here’s what makes the Equifax breach different from, say, a Target or Home Depot breach where credit card numbers were stolen.

Stolen credit card numbers expire. You cancel the card, get a new one, problem solved.

Your Social Security Number never expires. Your birthday never expires. Your name never expires. That information is yours forever — and now it’s also a criminal’s forever.

Those 147 million records are still out there. They’ve been sold, resold, and traded on dark web markets for years. A criminal who bought your data in 2018 can still use it in 2026 to:

  • Open credit cards or loans in your name
  • File a fraudulent tax return and collect your refund
  • Apply for government benefits using your identity
  • Pass identity verification checks on new account applications

The theft is over. The risk isn’t.

What Can You Do?

Freeze your credit. This is still the best defense against someone using your information to open fraudulent accounts. A credit freeze makes your credit report inaccessible to potential creditors — so even if a criminal has your SSN and birthday, they can’t open a new account in your name. I’ve written a complete guide to freezing your credit — it’s free and takes about 15 minutes.

Check if you were affected. Equifax set up a settlement site as part of a $700 million settlement with the FTC. Affected individuals were eligible for free credit monitoring and, in some cases, small cash payments.

Check Have I Been Pwned. Go to haveibeenpwned.com and enter your email address to see if your information has appeared in this or other known breaches.

Be alert to identity theft signs. Unexplained accounts on your credit report, calls from debt collectors about debts you don’t recognize, or tax return rejection notices (“a return has already been filed under your SSN”) are all potential signs that your information is being used by someone else.

Bottom line: The Equifax breach isn’t history — it’s an ongoing reality for 147 million Americans. The data is still out there and it doesn’t expire. Freeze your credit, monitor your accounts, and treat your Social Security Number like the master key to your financial life, because that’s exactly what it is.