On 8 September, credit reporting agency Equifax confessed to a major data breach. It affects 143 million Americans – nearly half of the US population – and 100,000 Canadian consumers. Unfortunately, this means that the hackers may have access to highly sensitive personal and financial information, allowing them to carry out follow-on attacks and identity fraud attempts.

Here’s what you need to know.

What happened?

Equifax is one of the big three credit bureaus in the United States: organizations that collect data on consumers so that lenders can determine how much they should give out in loans. The Atlanta-based firm has a huge trove of personally identifying information (PII) including names, birth dates, addresses, Social Security numbers and driver’s license numbers.

Judging by the latest information from the firm, an unpatched web server vulnerability allowed attackers to infiltrate its systems and access all of that customer data, related to 143m Americans, 400,000 in the U.K.; and 100,000 Canadians. In addition, 209,000 credit card numbers were stolen, as were 182,000 documents used in disputes, which also featured PII.

It’s about as bad as it gets. Gartner fraud analyst, Avivah Litan, described it thus: “On a scale of 1 to 10 in terms of risk to consumers, this is a 10.”

How will it affect me?

With the stolen data, scammers can impersonate affected consumers in interactions with banks, creditors and a wide variety of service providers. It clears the way for identity fraud on a massive scale, potentially allowing them to apply for loans and credit cards in your name, drain funds from your bank account and make card purchases in your name.

Tax scams are particularly concerning. With the stolen Social Security numbers, fraudsters could file fake returns early in your name to bag a refund from the IRS.

Another tactic to be wary of is follow-on phishing attempts. Fraudsters may send you legitimate looking but fake emails designed to trick you into disclosing yet further sensitive personal and financial information. These emails might look like they came from your bank, credit card company or even Equifax itself.

Fraudsters might also pick up the phone in so-called “vishing” attempts. The aim here is the same: they will pretend to be calling from a legitimate organization in order to elicit more information from you which can then be used to commit identity fraud. The scammers may well quote back to you some of the stolen info to make these requests sound more legitimate.

What do I do now?

Unfortunately, unlike account passwords and credit card details, much of the information that has been stolen from Equifax – names, addresses, Social Security numbers etc – is very hard if not impossible to replace. This means you will have to keep a close eye on your accounts to see if anyone is trying to use your name and details fraudulently.

Here are a few things to do straightaway: